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Abstract 

This paper deals with products of moderate-size primes, familiarly 
known as smooth numbers. Smooth numbers play a crucial role in 
information theory, signal processing and cryptography. 

We present various properties of smooth numbers relating to their 
enumeration, distribution and occurrence in various integer sequences. 
We then turn our attention to cryptographic applications in which 
smooth numbers play a pivotal role. 



1 



1 Introduction 



The goal of this paper is to shed light on the prominent role played by di- 
visibility and smoothness in cryptography and related areas of mathematics. 
This work intends to survey a wide range of results while steering away from 
too well-known examples. For doing so, we concentrate on some recently 
discovered applications of results about the arithmetic structure of integers. 

We intend to convey to the reader a general comprehension of the state 
of the art, allow the devising of correct heuristics when problems cannot be 
tackled theoretically and help assessing the plausibility of new results. 

In Section [3] we overview on a number of number-theoretic results com- 
monly used for studying the multiplicative structure of integers. Most of 
the elementary results which we use are readily available from [89]; more 
advanced results can be found, often in much more precise forms, in [501 |86| 
I9"T| I1UUI I156j and in many other standard analytic number theory manuals. 
Some of them are directly used in this paper, others remain in the back- 
ground but we illustrate with them the variety of cryptographically useful 
analytic number theory tools. 

We start our exploration of the worlds of divisibility and smoothness 
by asking a number of natural questions. For instance, given a "typical" 
integer, what can be said about its largest divisor? Are Euler totient function 
values (f(n) "typical" integers? What are the noteworthy properties of shifted 
primes p — 1? How common are numbers who factor into products of primes 
which are all smaller than a bound 6? The results listed here are neither 
exhaustive nor new (we refer the reader to references such number theory 
books or surveys such as [851 EH ESj for a more formal and systematic topical 
treatment). 

Then, in Section [91 we use these results to shed light on a number of 
cryptographic constructions and attacks. 

We remark that the specifics of this area is such that many impressive 
works here may be underrated by non-expetrs as, at a first glance, they 
present only very small improvements over previously known results. How- 
ever these small improvements are often principal steps forward and require 
the development of new ideas and very refined techniques. Some examples 
of such breakthrough achievements include: 
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• the estimate of Ford [HI] on the counting function for the number of 
values of the Euler function, see Section 13. 5t 

• the estimates of Ford [HI] on the counting function of integers with an 
integer divisor in a given interval, see Section 18. 3( 

• the very tight estimates of Croot, Granville, Pemantle & Tetali [53] on 
the stopping time of the Dixon factoring algorithm, see Section 19.11 

Probably the oldest application of smoothness and divisibility is the cel- 
ebrated Chinese Remainder Theorem which allows us to accelerate cryp- 
tographic functions and basic arithmetic operations using specific integer 
formats called residue number systems, see |129j . Results of this kind cer- 
tainly deserve an independent treatment and we leave them outside of the 
framework of this paper. 

We also recall that the idea of breaking a complex operation, depending 
on a parameter n, into a a recursion of simpler operations depending on the 
prime factors of n can also be found in other fields such as signal processing. 

The finite Fourier transform of a complex n-dimensional vector y is the 
n-dimensional vector Y defined as 

n-l 
3=0 

where u n = e~ 2m / n is a complex n-th root of unity Now, assume that n = 2m 
is even. We see that 

n—1 n—1 m—1 m—1 

3=0 3=0 3=0 3=0 

j even j odd 

In other words, the initial finite Fourier transform can be broken into two 
transforms of length n/2 on the projections of y on even and odd dimensions. 
The same applies to divisibility by any prime or prime power and us allows 
to derive a recursive Fast Fourier Transform algorithm of sub-quadratic com- 
plexity when n is smooth, [SHI ES] • Applications of this kind are also left out 
as we restrict ourselves to the cryptographic genre. 
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In general number theoretic results first appear as such, then, if appro- 
priate, they are either directly applied or fine-tuned for cryptographic ap- 
plications. Nonetheless, there are cases when important developments in 
cryptography have led to new arithmetic results. For example, such is the 
bound of Coppersmith, Howgrave- Graham & Nagaraj [16] on the number 
of divisors d | n of a given integer n in a prescribed arithmetic progression 
d = a (mod k), which is based on the ideas of the celebrated attack of Cop- 
persmith [131 HI] on RSA moduli with partially known factors. Yet another 
example is given by Boneh [22], secxonst smooth see Section [6l2l below. 

2 Conventions 

2.1 Notations 

Throughout this paper we use Vinogradov's notation '/(x) -C g(xY which 
is equivalent to the Landau notation f(x) = 0(g(x)), whilst being easier 
to chain as, for example, f(x) <C g(x) = h(x)\j If convenient, we also 
write g(x) 3> f(x) instead of f(x) <C g(x). We also write f(x) x g(x) if 
f(x) < g(x) < f(x). 

The letter p (possibly subscripted) always denotes a prime; e always 
stands for a small positive parameter on which implied constants may depend; 
logx denotes the natural logarithm of x. Calligraphic letters, for example, 
A = (a n ), usually denote sequences of integers. 

For a prime power q, we use W q to denote the finite field of q elements. 

For an integer m, we use Z^v to denote the residue ring modulo N. 

2.2 Arithmetic Functions 

We use the following standard notations for the most common arithmetic 
functions for integers m > 2: 

• P(m), the largest prime divisor of m, 

1 Note that f(x) = 0(g(x)) = h(x) is meaningless and f(x) = 0(g(x)) = 0(h(x)) may 
discard some useful information. 
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• <fi{m), the Euler (totient) function of m, 

• u(m), the number of distinct prime divisors of m, 

• r(m), the number of positive integer divisors of m. 

Recall that ip(m) is the number of positive integers % < m with gcd(«, m) = 
1 amdm that r(m) is sometimes denoted as ao(m). 

We also define P(l) = u(l) = and r(l) = ip(l) = 1. 

Clearly 2^ < r(m) and the inequality is tight for square-free m > 1. 

Letting x > be a real number, we denote by: 

• 7r(x) the number of primes p < x, 

• 7r(x; g, a) the number of primes p < x such that p = a (mod g). 
2.3 Integer Sequences 

Besides the sequence of natural numbers IN, we devote in this paper particular 
attention to the following integer sequences: 

• V a = {p + a : p prime}, 

• /(lN)={/(n) : n = l,2...}, 

• #) = Mn) : n = l,2...}, 

• (p(V a ) = {<p(p + a) : p prime}. 

In other words, P a is the sequence of shifted primes, /(IN) is the sequence 
of polynomial valuations over IN, <^(IN) is the sequence of Euler function 
values and tp(V a ) is the sequence of Euler function values of shifted primes. 

Amongst the sequence V a , the instances a = ±1 are of special interest 
in cryptography and thus many papers concentrate only on these values. As 
results can usually be extended to any a ^ at the cost of mere typographical 
changes, this work usually presents these results in this more general form. 
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2.4 Smoothness 



n e IN is smooth if n has only small prime divisors. As the previous sentence 
does not define what small is, we formally define n as y-smooth if all prime 
divisors p \ n are such that p < y. 

Alternatively, n is ^/-smooth if and only if P(n) < y. 

Let A = (a n ) be a sequence. We denote by ip(x, y; A) the number of 
^/-smooth a n values found amongst the first x elements of A (that is, for 
n < x). The following compact notations are used for the specific sequences 
defined in Section [231 



ip{x,y) = i>(x,y;TN), 

7r a (x,y) = ip(x,y;V a ), 

ipf(x,y) = ^(a;,j/;/(lN)), 

<l>(x,y) = i>(x,y;<p(TN)), 

Il a (x,y) = ip(x,y;ip(V a )). 



2.5 The Dickman— de Bruijn Function 

The Dickman-de Bruijn function p(u) is probably the most popular smooth- 
ness density estimation tool. 

p{u) is defined recursively by: 

1 ifO<M<l, 
1- f ^- l) dv if«>l. 

Note that p(u) = 1 — logu for 1 < u < 2. For example, p(\fe) = 1/2, that 
is, about half of the integers n < x has no prime divisors larger than n 1 ^ ^ = 
n o.6065... This h a s been used by Vinogradov |164] and by Burgess [33], to 
estimate the smallest quadratic non-residue modulo a prime. 

It is not difficult to show that as u — >• oo: 

p{u) = u~ u+o{u) (1) 
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and, more precisely, 

( e + o(l 



« logW 

even more accurate approximations to p[u) are known, see |156[ Chap- 
ter III. 5, Theorem 8]. 

3 Number Theoretic Facts 

3.1 Distribution of Primes 

The Prime Number Theorem states that for any fixed A: 



tt(x) = h* + ( ) , (2) 
( (logx) A ' 



where 

dt 

hx 



log* 

Alternatively, using a more convenient (yet equivalent) formulation, in terms 
of the ^-function 

•8(x) = logp 

p<x 

we can write that for any fixed A > 0: 



&(x) =x + 



x 



(logx 



A commonly committed crime against primes is the assertion that: 
tt(x) = — — + O 



\ogx ' \{\ogx) A 
for any fixed A > 0, which is wrong, although, of course, 



tt(x) ~ lix ~ 



logx 



An asymptotic estimate of the number of primes in arithmetic progres- 
sions is given by the Siegel-Walfisz theorem see [SUl Theorem 1.4.6] or, in 
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an alternative form, |156[ Chapter II. 8, Theorem 5], which states that for 
every fixed A > there exists C > such that for x > 2 and for all positive 
integers q < (logo:)" 4 , 



max tt(x; q, a) 

gcd(a,g)=l 



lix 



<C x exp ( — Cy/logx 



) 



<p(q) 



see also |100[ Theorem 5.27]. 

While for larger values of q, only conditional asymptotic formulae are 
known, for example, subject to the Generalized Riemann Hypothesis), the 
Brun-Titchmarsh theorem, see [81)1 Chapter 3, Theorem 3.7], or [1UU[ The- 
orem 6.6], or [1561 Chapter 1.4, Theorem 9], gives a tight upper bound on 
n(x;q, a) for all q < x x ~ e . Namely, we have 



without any restrictions on x and q. 

Clearly for all q < x l ~ e we can replace \og{x/q) in the denominator with 
logx. Furthermore, this is conjectured to hold with just logx instead of 
\og{x/q) in a wider range of q (say up to q < x/(\ogx) A with some constant 



Finally, although for any given q, the Siegel-Walfisz theorem is the best 
know result, the Bombieri-Vinogradov theorem, see |100[ Theorem 17.1], 
gives a much better estimate of ir(x;q,a) on average over q. In particular, 
for every A > there exists B such that 



7r(x; q, a) 



x 



<p(q) log(x/g) 



A > 0). 




max max 7r(y; q, a) 

y<x gcd(a,<j)=l 



My 



x 



<p(q) 



(logx) A ' 



We conclude with the trivial but helpful remark that the bounds 



ii(x; q, a) < n(x) 



and 



7r(x; q, a) < 



x 



can also be sufficient sometimes to establish useful results. 



8 



3.2 Mertens Formulae 



We recall the Mertens formulae for the sums over primes 



^ - = log log x + A + o(l), 



E 



logp 



logx + B + o(l) 



P 



and for the product 



nH) 

p<x x ' 



C + o(l) 
logx 



(3) 



where A = 0.2614 . . ., B = 1.3325 . . ., C = e 1 = 1.7810 ... and as before, 7 = 
0.5772 ... is the Euler-Mascheroni constant, see [891 Sections 22.7 and 22.8] 
or |156[ Sections 1.1.4 and 1.1.5]. Vinogradov |163] gives a sharp bound of 
the error term. 

Note that the formula ([3]) is related to the fact that <p(ri) is rather large: 



3.3 Primes and the Zeta- Function 

The Riemann Zeta-function £(s) is defined for any s G (D with 9ft(s) > 1 by 



and then is analytically continued to all s6C. 

The Riemann Hypothesis postulates that all the zeros of ((s) with < 
5ft(s) < 1 are such that dt(s) = 1/2. It is important to remind that there are 
other trivial zeros outside of the critical strip < 3?(s) < 1. 

The Generalized Riemann Hypothesis asserts that the same property 
holds for a much wider class of similar functions called L-functions. 

There are some explicit formulae that relate ir(x) to the zeros of ( in the 
critical strip. In particular, the non-vanishing £(1 + it)((it) 7^ for every 
t G IR implies the Prime Number Theorem under the form ir(x) ~ lix. In 
fact the more we know about the distribution of the zeros of ( the better is 
the bound on \ir(x) — lix\ we get. 



n > (p(n) ^> 



n 



log log n 




71=1 
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The best known result on the zero-free region of £ is due to Ford [53] , who 
gives a more explicit version of the previous result obtained independently 
by Korobov [107] and Vinogradov [165j . see also |100j . In particular, thanks 
to these results, the asymptotic formula (j2J) can be sharpened as 

7r(x) - lix < xexp (-C(logx) 3/5 (logloga;) _1/5 ) 

where C = 0.2098. A similar estimate for can be obtained as well. 

Unfortunately, besides the result of Ford [03] and a few other similar 
estimates, very little progress has been witnessed in this area over the last 
decades. 

For dt(s) > 1, the Dirichlet product is defined as: 

1 V 1 T-r A 1 1 1 



p s p 2s p 3s 

CM 



= E 1 

More generally, letting S be any set of primes, and letting A/5 be the set 
of integers obtained by multiplying elements of S, we have: 

n(i~)"=E^ «> 

pe5 v ^ 7 neAs 



3.4 Beyond the Generalized Riemann Hypothesis 



There is a common belief that the Generalized Riemann Hypothesis (GRH) 
fully characterizes the distribution of primes. This is unfortunately untrue 
and in many situations the GRH falls short of our expectations and heuristic 
predictions. For example, for the gaps d n = p n+ i — p n between consecutive 
primes pi < p 2 < ■ ■ ■ the GRH only implies that d n pn 2 (\ogp n ) 2 , while 
gaps are expected to be much smaller (and even be equal to 2 infinitely 
often). Another example is the Elliott-Hallberstam Conjecture, see |100[ 
Section 17.1], which asserts that for any fixed s > and A > 1 



E 



max 

gcd(a,<?)= 



7r(x; q, a) 



lix 



X 



(lot 



x 
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On the other hand, and quite amazingly, unconditional results on the 
distribution of primes which are stronger than results immediately implied 
by the GRH exist. One such estimates is the Brun-Titchmarsh theorem, see 
Section 13 . 11 Other examples include a thread of works by Bombieri, Fried- 
lander & Iwaniec [T9l [20| [2Tj which extends Bombieri- Vinogradov's theorem, 
see Section 13.11 beyond the square-root range. 

One of the important applications of these result is a remarkable result 
of Mikawa |126j . which asserts that for any fixed a and almost all q there is 
a prime p = a (mod q) with 

< g 32/17+o(l) 

as q — >• oo. For all q, the best know estimate p <C g 11 / 2 is due to Heath- 
Brown 1 921. 



3.5 Euler Function 

Here are a few beautiful properties of the Euler function which can be found in 
many standard number theory manuals (see, for example, [89]) For example, 
it is easy to see that 

^^ip(d) = m and <p(m) = m ' ^ 

where is the Mobius function. Furthermore, we have the identity 



771=1 



<p(m)q m q 



q m _ q y 



Using (jHJ) and simple analytic estimates one can derive the following asymp- 
totic formulae: 



1 n\ 3 , /n f logm 



14 — ' 7r 2 \ m 



O 

k=l 

and 

V 9 ^) 6 , /n /l°S m 



m ' fc 7r 2 V 

fc=i 
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We also have explicit inequalities such as: 



<p(m) > 



m log log m 



e 7 (log log m) 2 + 3 



for m > 3, where 7 = 0.5772 ... is the Euler-Mascheroni constant, and 



There are also some much deeper questions about the Euler function. One 
of the is studying the cardinality 



of the set of values of the Euler function up to x, for which Ford [61] obtained 
a very precise estimate. 

Ford [62] has also established the validity of the Serpinski conjecture that 
for any integer k > 2 there is m such that the equation (p(n) = m has 
exactly k solutions. We recall that by the Carmichael conjecture for any m 
this equation has either at least two solutions or no solutions at all. 

4 How Smooth? How Many? 

4.1 Empirical Estimates: A Cautionary Note 

Empirical estimates abound in cryptography. For examples, many cryptog- 
raphers readily admit that, in the absence of obvious divisibility conditions, 
the density of primes in a given integer sequence is identical to the density of 
primes in IN. This and several similar "postulates" can be frequently found 
throughout modern cryptographic literature. Let us illustrate the danger of 
such assumptions by a concrete example. 

It is natural to approximate the probability that p \ n when n < x is 
randomly chosen by 1 — 1/p. 




for any m > 1. Finally, for composite m 



ip(m) < m 




F(x) = #Mn) < x} 
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Now, assuming that all primes p < y are independent, we may infer that 
the probability that p j n for all x > p > y when n < x is chosen at random 
is close to: 



n(i-=)=nM)n(i-i 



1 ^ logy = I 

p i ll \ py^^v p / log x it 

x>p>y pS: x pSy 

by virtue of the Mertens formula, where u is given by 

u = or x = y . (b) 

logy 

Here intuition leads to the seemingly elegant asymptotic formula 

x 

il>(x,y) ~ -• 

u 

which is . . . completely wrong! 



4.2 Estimating Smooth Integer Densities 

One of the most popular estimates of ip(x,y) is: 

^(x, y) = u~ u+o{u) x. (7) 

This formula, due to Canfield, Erdos & Pomerance [33], is applicable in the 
very large range: 

u < y l ~ e or y > (loga;) 1+£ 

but the behavior of ip(x,y) changes for y < logx. 

While ([7]) is not an asymptotic formula (since o(u) is in the exponent), 
asymptotic formulae for ip(x, y) exist. In particular, Hildebrand [93] gave the 
asymptotic formula 

ip(x,y) ~ p(u)x (8) 

for 

u < exp ((logy) 3/5_e ) or y> exp ((log logx) 5/3+£ ) . 
A precise estimate of the error term in ([8]) is given by Saias [142] . 
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Note that (0) and flS]) imply flTJ; of course ([T]) can also be obtained inde- 
pendently. 

Unfortunately the validity range of (|S]) is much narrower than that of (J7J), 
and is likely to remain so for quite some time. Indeed, as per another result 
of Hildebrand [93], the validity of (jSj) in the range: 

1 < u < y 1/2 ~ e or y > (logx) 2+£ 

is equivalent to the Riemann Hypothesis. 



5 Estimating ip(x, y) 

5.1 Counting Very Smooth Numbers: Lattices 

To estimate ip(x,y) for very small values of y one can resort to a geometric 
approach introduced by Ennola [58], which has been developed up to its 
natural limit by Granville [82] (see also [HI]): 

Let 2 = pi < . . . < p s < y be all s = ir(y) primes up to y. Then: 
tp(x,y) = #< (ai,..., a s ) : JJj?f* < a; 

I i=l 

= # < (ai, . . . ,a a ) : ^ ai log pi < log x 

{ i=l 

Thus our question boils-down to counting integer points in a specific 
tetrahedron. The number of integer points in any "reasonable" convex body 
is close to its volume. However, this is correct only if the volume is large 
with respect to its dimension s. 

Thus we may expect that: 

(logx) s 

f(x,y) ~ 



if y is reasonably small. This approach can yield rigorous estimates, see, for 
example, 
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5.2 Upper Bounds: Rankin's Method 



For large values of y, the geometric approach fails to produce useful estimates. 
If only an upper bound is required, as is the case in many situations, then 
Rankin's method [139j provides a reliable alternative. 

Fix any constant c > 0. Then 

E is E ©' = E 0) 

n<x n<:r p|"=>P<y 

p|n=>p<y p|"=>P<2/ 

The underlying idea is that most of the contribution to ip(x,y) comes 
from integers which are close to x, so, although (x/n) c is larger than one for 
such integers, it is not much larger. On the other hand, (x/n) c decreases 
rapidly to zero when n is much larger than x. So the above two steps do not 
cause over-counts. 

Using the fact that the right hand side of (jHJ) is an infinite series which 
can be represented as a Dirichlet product (see (J3J), we get: 

if>(x, y) < x c — = x ° II 

p\n=¥p<y P<y 

Using the Prime Number Theorem (in its best available asymptotic form) 
we estimate the product on the right hand side of fflQj) as a function of y and 
c and minimize over all possible choices of c > 0. 

This task is technical but feasible and yields the quasi-optimal choice: 

u \ogu 

c= 1 - 

logy 

which, in turn, yields an upper bound of the form (J7J). 

Simplicity (despite a few final technicalities) is the main advantage of 
this approach. In exchange, it suits only upper bounds and is apparently 
incapable of producing lower bounds. 
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5.3 Asymptotic Formula: Buchstab— de Bruijn's Re- 
currence 

We write each y-smooth n > 1, as n — pm where p = P(n) is the largest 
prime factor of n. We note that m < x/p and is p-smooth. 

Collecting together integers n with P{n) = p we get: 



(where 1 at the front accounts for n — 1), which is called the Buchstab-de 
Bruijn's Recurrence. 

This recurrence formula has been used for both lower and upper bounds 
and even for deriving asymptotic formulae. 

We now use fTTT]) to "prove" ([8]) for each fixed u (we closely follow [851 
Section 3.5]. 

The "proof" is by induction over N, where u G (N, N + 1] . To ease the 
comprehension we deliberately ignore error terms and use the sign m without 
specifying its formal meaning. However, we do guarantee to the reader that 
more careful analysis can re-cast the following formulae into a proper proof. 

We start with the observation that for < u < 1 we trivially have 



For 1 < u < 2 (that is, for x > y > y/x), noticing that non-y-smooth 
numbers have one and only one prime divisor p > y, we get: 




(11) 



ip(x, x 



/") = [x\ . 




Therefore, by the Mertens formula, 



x(l — (log log x — log logy)) 
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We now note that the above step. . . has not really necessary. It is nonethe- 
less a good warming exercise for the next "induction" step. 

Suppose that 

p[u) 

holds for < u < N. 

Consider a value of u G (N, N + 1] . 

Subtracting the Buchstab-de Bruijn relation ( TTTT) with y = x l ' N : 
^(x,x 1 / JV ) = l+ ^{-A 

from the same relation with y = x 1 /": 



We obtain 



iP(x,x 1/u ) = ij(x,x 1/N )- 

x l/u <p < x l/N 



X 



E 

U- E l*p( 

\ x 1 /^<p<x 1 / N V 



\og(x/p) 
logp 



since 



\og(x/p) _ hgx _ \ogx _ _ 

i i / 1 / \ ^ — ? 

logp logp \og[x^ u ) 
so the induction hypothesis applies (error terms ignored). 

We now recall the definition of the function $(z) and the Prime Number 
Theorem (TSJ). Writing z = x 1 ^, by partial summation, we get 



y 1 / l0g(g/ P ) \ = r 1/N JlQgX \ (M(Z) 

~._ 1/N P V lo gP / i/« Vogz J z log z 



x l/u <p < x l/N 



' log x \ dz 



i/« 



logz / zlogz 
dt 
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We confess that a terrible offence has just been committed: instead dif- 
ferentiating d(z) we have differentiated its approximation z. However, more 
careful examination shows that the above formulae are still correct. 



which concludes our "proof" . 

Estimating the largest prime divisor is a necessary step in many number- 
theoretic algorithms. For instance, Bach, von zur Gathen & Lenstra [3] 
introduce an algorithm for factoring polynomials over finite fields of charac- 
teristic p. The complexity of this algorithm depends on the largest prime 
divisor of the product the k cyclotomic polynomial $fc(p) evaluated at p. A 
relationship between a number and its largest divisor allows to tune k for 
every p and optimize complexity. We refer the reader to [1411 1144[ I168j for 
more related results. 

6 Smoothness Miscellanea 
6.1 Evaluating i/j(x, y) 

To optimize (balance) the complexity of steps in several cryptographic algo- 
rithms, one often needs more precise information about ip(x, y) than current^ 
estimates and asymptotic formulae can provide. 

For example, Parsell & Sorenson [134] . improving several previous results 
of Bernstein [T3], have shown that for any parameter a, one can estimate 
i>(x, y) up to a factor 1 + (a -1 log a;) in time 



Therefore 



ip{x,x 1/u ) 



(p(N) - £ p(t - 1)^ =p(u) 



x 



O 




+ a log x log a 




A number of related results can be found in [9U I147[ I153[ 1154] . 



2 proven or conjectured 
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6.2 Constructing Constrained Smooth Numbers 

Producing smooth numbers is trivial. However, constructing constrained 
smooth numbers appears to be a challenging problem. A natural constraint, 
stemming from the study of digital signatures, is the requirement that the 
^/-smooth number belongs to a given interval [x, x + z] . 

Boneh [22], motivated by certain cryptographic problems, has devised a 
polynomial-time algorithm solving this problem for some x, y, z parameter 
combinations. 

Results about the existence of very smooth numbers with a prescribed bit 
pattern at a certain position are given in [145] , see also [HD] which gives an 
alternative approach (via character sums instead of exponential sums) that 
may probably be used to further improve the aforementioned result of [145] . 

More research in this area is certainly very desirable. 



6.3 Rough Numbers 

An integer n is y-rough if all prime divisors p \ n are such that p > y. We 
denote by Q(x, y) be the number of y-rough integers smaller than x. 

Buchstab [32] gives the asymptotic formula: 

y) ~ uj{u) 



logy 

where the Buchstab function u(u) is defined as follows: 

1, if 1 < u < 2, 

U[U) = - X < ! 



u 



/u— i 
cu(t)dt, if u > 2. 



Rough numbers can be viewed as "approximations" to primes. Rough 
numbers can be easily found and are proven to exist in various integer se- 
quences of cryptographic interest. For example, Joye, Paillier & Vaude- 
nay [102] use rough numbers as " interesting" candidates for primality testing 
during cryptographic key generation. 
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6.4 Large Smooth Divisors 



It also natural to ask how often integers are expected to have a large smooth 
divisor; or, from a more quantitative perspective, explore the behavior of: 



While has been addressed in the classical literature on smooth numbers, 
see [87J H561 1157j . it has not received as much attention as if)(x, y). 

Some asymptotic formulae for have recently been given by Banks & 
Shparlinski [TT] and Tenenbaum |159j . These formulae involve the parameter 
u appearing in and a parameter v defined as: 



The formulae also contain an integral involving p(u) and its derivative. 
Part of the motivation in [11] comes from a cryptographic problem discussed 
by Menezes |122] , see as well Section 19.121 

Shifted primes with large smooth divisors are studied by Pomerance & 
Shparlinski |137j . 

6.5 Next Largest Prime Divisors 

Characterizing the second largest prime divisor is of interest too, as the 
complexity of factoring an integer n with Lenstra's elliptic curve factorization 
method |lllj (commonly called 'the ECM'), depends on this prime divisor. 

More generally, denoting by Pj{n) the j-th largest prime divisor of n, one 
may consider the joint distribution 

i/j(x, ... , y k ) = #{n < x | Pj(n) < yj, j = l,...,k}. 

The work of Tenenbaum [158] contains the most recent results and further 
references on this topic. 

The case k = 2 is especially important. Indeed, using above notation, the 
ECM algorithm factors n completely in time: 



Q(x, y, z) = #{n < x : 3d | n, d > z, d is y-smooth}. 



v = 



log z 
logy 




20 



where p = P2{n). This case has also got special attention in [1], see also |152] 
for some other applications. 



6.6 Other Facts 

In this section we present several unrelated results, which while unlikely to 
have any obvious cryptographic applications, still prove interesting for our 
exploration of smooth numbers. 

Balog and Wooley [5] have considered /c-tuples of consecutive smooth 
integers and proved that for any k and e > there are infinitely many n such 
that n + % is n e -smooth for % — 1, . . . , k. In fact the proof in [8] is based on 
very nice and elementary explicit constructions. 

One can also take k — > oo and e — > (slowly) when n — > oo. 

Balog [6] proved that each sufficiently large integer N can be written as 
N = ri\ + tli where ni,ri2 are iV^-smooth, where 

4 

a = — = = 0.2695... . 

Results of this type may be considered as dual to the binary Goldbach 
conjecture claiming that all positive even integers N > 4 can be represented 
as the sum of two primes. 

Finally, various bounds of rational exponential sums 

S a ,q(x,y)= ^ exp(27ri— J, where gcd(a, q) = 1, 

n<x ^ ^ ' 

n is y-smooth 

are given by Fouvry & Tenenbaum [69] and also by de la Breteche & Tenen- 
baum [27]. Multiplicative character sums 

Ta, q (x,y)= x(n-a), where gcd(a, q) = 1, 

n<x 
n is y-smooth 

with a nonprincipal multiplicative character \ modulo q are estimated [146] . 
We also note that asymptotic formulae for the sums 

yv Lp{n — a_ ^ 1 ip{ n -a) 

L — ' n — a wlx.y) — ' 

a<n<x rv la ' a<n<x 

n is y-smooth n is {/-smooth 
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are given in [117] . On the other hand, obtaining asymptotic formulae (or 
even good estimates) for the sums 



is still an open problem. 

7 Smoothness in Integers Sequences 

7.1 Smooth Numbers in Arithmetic Progressions 

So far we considered the distribution of smooth values in the set of all natural 
numbers. A very natural generalization of this question, which is also of 
cryptographic interest, is the study of smooth numbers with an additional 
congruence condition. 

In particular, we introduce the counting functions 

ip(x, y; a, q) = #{n < x : n is y-smooth, n = a (mod q)} 




and 




and 



ip*(x,y) = < x : n is y-smooth, gcd(n, q) = 1}. 



Tenenbaum [155] proved that 



<p(q) 



i/j(x,y) 



in a wide range of parameters. 

In turn, a family of bounds of the forms 



ip(x,y;a,q) > 



i>(x,y,a,q) 



ip(x,y;a,q) 
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(of decreasing strength but in increasingly larger ranges of x, y and q) can 
be found in EDJ E31 El EDI Q3B]. Some of these bounds hold for all a with 
gcd(a, q) — 1, others hold only for almost all such integers a. 

We note that bounds of exponential and character sums S a , g (x,y) and 
T aj g(x,y), see Section I6\6l can also be interpreted as results about the uni- 
formity of distribution of smooth numbers in arithmetic progressions "on 
average" . 

7.2 Smooth Numbers in Small Intervals 

We now turn our attention to the sequence of integers in "short" intervals 
[x, x + z). 

Accordingly, 

ip(x, V, z) = i/j(x + z,y)- i/j(x, y). 
It is natural to expect that: 

ip(x,y,z) ~ p(u)z 

in a wide range of x, y and z. 

A series of ingenious results due to Balog [5], Croot [S2], Friedlander 
Sz Granville [72], Friedlander & Lagarias [72], Harman [90] and Xuan |161] 
gives various interesting bits of information, but in general the status of this 
problem is far from being satisfactory. 

Croot's work [52] is particularly interesting as it uses a quite unusual 
tool: bounds of bilinear Kloosterman sums due to Duke, Friedlander & 
Iwaniec [56J. 

From both cryptographic and number theoretic perspectives, the main 
challenge in that of obtaining good lower bounds in ^(x,y,Ay/x), which ap- 
pears to be currently out of reach. This case is of special importance as it 
is crucial for the rigorous analysis of Lenstra's elliptic curve factoring algo- 
rithm [111] . We note that the result of Croot [52J applies to intervals of 
similar length but unfortunately for y values which are much larger than 
these appearing in [111] . 

Finally, we recall that Lenstra, Pila & Pomerance [1121 1113j have found 
an ingenious way to circumvent this problem by introducing a hyperelliptic 
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factoring algorithm. For this algorithm, smooth numbers in large intervals 
ought to be studied, which is already a feasible task. This has been achieved 
at the cost of very delicate arguments and required the developing of new 
algebraic and analytic tools by the authors. 



7.3 Smooth Shifted Primes 

Let 7r a (x,y) be the counting function of smooth shifted primes given in Sec- 
tion 1231 

It is strongly believed that for any fixed a ^ the asymptotic formula 

n a (x,y) ~ p(u)n(x) (12) 

holds for a wide range of x and y. Unfortunately, results of such breadth 
seem unreachable using current techniques. 

However rather strong upper bounds are known. For example, Pomerance 
& Shparlinski |137] gave the estimate 

ir a {x,y) < up(u)it{x) 

for 

exp ( \/log x log log x j < y < x. 

In a shorter range 

exp ((logx) 2/3+e ) <y<x 

the "right" upper bound 

ir a (x,y) < p(u)ti(x) 

follows from a result of Fouvry & Tenenbaum [701 Theorem 4] . 

It is not just the asymptotic formula ffl2l) which is presently out of reach. 
In fact, even the obtaining of lower bounds on 7r a (x, y) is an extremely difficult 
task where progress seems to be very slow. 

The best known result, due to Baker & Harman [9] only asserts that there 
is a positive constant A such that for a / 0, 

tt(x) 

TT a {x,y) > -j 
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for u < 3.377. . . (where as before, u is defined by (E}), see also [91J. 

For most applications the logarithmic loss in the density of such primes 
is not important. However, if this becomes an issue, one can use bound of 
Friedlander [71] : 

ir a (x,y) > ir(x) 

which, however, is proven only for u < l^fe = 3.2974 . . .. 

Finally, we recall yet another result of Baker & Harman [9] guarantees 
that 

ir(x) - 7r a (x,y) > ir(x) 

for u > 1.477. . .. 

The above results can be reformulated under the following equivalent 
forms which are usually better known and in which they are more frequently 
used. 

For some absolute constants A, C > and for any a ^ 0: 

• there are at least Ctt(x)/ (log x) A primes p < x such that p + a has a 
prime divisor q > p - 6776 ; 

• there are at least Cn(x) /(\ogx) A primes p < x such that all prime 
divisors q of p + a satisfy q < p - 2962 . 

The above two statements are expected to hold with A = 0, with 1 — e 
instead of 0.6776 and with e instead of 0.2962 (for any e > 0). 

It is interesting to recall that results about shifted primes p — 1 having a 
large prime divisor play a central role in the deterministic primality test of 
Agrawal, Kayal & Saxena pQ. 

7.4 Smooth Values of Polynomials 

Let f(X) G and let ipf(x,y) be defined as in Section [2T41 

As in the case of shifted primes, rather strong upper bounds on ipf(x, y) 
exist, see for example, the results of Hmyrova [96] and Timofeev [160] . 

For a squarefree polynomial /, Martin [119] gives an asymptotic formula 
of the type 

rj)f{x, y) ~ p(d 1 u)p(d 2 u) . . . p(d k u)x, 
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where di, d 2 , ■ ■ ■ , dk are the degrees of irreducible factors of / over Z[x]. This 
holds only for very large values of y. See as well several related results by 
Dartyge, Martin & Tenenbaum [51], where smooth values of polynomials at 
prime valuations (that is, of f(p)) are also discussed. 

7.5 Smooth Totients 

Let y) and H a {x, y) be the functions counting smooth values of the Euler 
function on integers and shifted primes, respectively, see Section 12.41 

Banks, Friedlander, Pomerance & Shparlinski [10J have shown that in the 
range 

y > (log logx) 1+£ 

we have 

y) < xexp(— (1 + o(l)) u log log u). (13) 
There are two interesting things to note about this result: 

• the range is wider than that of (J7J), with log logy instead of logy. 

• the bound is weaker than that of (J7|), with log log u instead of logu in 
the exponent. 

Both bullet points reflect the fact that the values of Euler functions tend 
to be smoother than integers and shifted primes. Furthermore, under a 
plausible conjecture about smooth shifted primes similar to ffl2|) . a matching 
lower bound on $>(x,y) has been obtained in [10]. Under even stronger 
conjectures, Lamzouri [109] has obtained an asymptotic formula for $(x, y) 
and similar quantities related to iterations of the Euler function. 

To estimate Il a (x, y), we can now use the trivial inequality 

n a (x,y) < $(x + \a\,y), 

which, in fact, is quite sufficient for many applications. Furthermore, in a 
wide range of parameters, unless u is small, the above is equivalent to the 
expected estimate: 

U a (x,y) < 7r(x)exp(-(l + o(l)) u loglogw) 
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which is a full analogue of (TT3T) . 

However for small values of u, obtaining the above estimate remains an 
important open problem. 

On the other hand, in some ranges, several other bounds for Tl a (x, y) have 
been obtained in [TD] using different techniques (such as a sieve method). For 
example, for y > exp (^/logxlog logx ) we have 



u 

and for y > logx, we have 

n / )K tt(x) 7T (x) log logx 

a[X,V) ~ exp((l/2 + o(l)) V«logu) exp((l + o(l))ulogu)' 

Note that estimates on the number of smooth values of the Euler function 
of polynomial sequences with integer and prime arguments, that is, (p(f(n)) 
and <p(f(p)), are given in [10] as well. 



7.6 Smooth Cardinalities of Elliptic Curves 

One aspect of this question has already be mentioned in Section [772] in relation 
to the elliptic curve factoring algorithm of Lenstra [111] . 

It is also interesting and important to study the arithmetic structure of 
cardinalities of the reductions of a given elliptic curve defined over Q modulo 
distinct primes. More precisely, given an elliptic curve E over Q, we denote 
by N p = #E(F P ) the cardinality of the set of rational points on the reduction 
of E modulo p (for a sufficiently large prime p such reduction always leads 
to an elliptic curve over F p ). 

The number of prime divisors of N p has been studied by Cojocaru [ID], 
Iwaniec & Jimenez Urroz [DDJ , Jimenez Urroz |1U3] , Liu |114| 1115} 1116] , Miri 
& Murty [127] and Steuding & A. Weng [T5D] . 

Some heuristics about the number of prime values of N p for p < x has 
been discussed by Galbraith & McKee [73], Koblitz [1051 EE] and Weng [T66] . 
An upper bound on this quantity is obtained by Cojocaru, Luca & Shparlin- 
ski [JT], see also [39] . 
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However, it seems that there are no smootheness results about the num- 
bers N p , although this issue has been touched in McKee [121j . Probably 
obtaining an asymptotic formula or even a good lower bound on the number 
of ^/-smooth values of N p for p < x is very hard, but perhaps some upper 
bounds can be established. 

Results of this kind are of great importance for the elliptic curve cryp- 
tography 

7.7 Smooth Class Numbers 

For a integer d < we denote by h(d) the class number of the imaginary 
quadratic field Q(\/d). Let T> be the set of fundamental discriminants, that 
is, the set of integers d < such that 

• either d = 1 (mod 4) and d is square-free, 

• or d = (mod 4), d/4 = 2, 3 (mod 4) and d/4 is square-free. 

Using the so-called Cohen-Lenstra heuristics for divisibility of class num- 
bers, see [38], Hamdy & Saidak [SSJ derived a conditional asymptotic formula 
for the number of d G T> with — d < x for which h(d) is y-smooth. Unfortu- 
nately, this seems to be the only know result in this really exciting direction, 
see [31] for the relevance of these problems to cryptography. Studying the 
smoothness of class numbers of other fields is of great interest too but is 
perhaps a very hard question. 

7.8 Smooth Numbers in Sumsets 

We recall that de la Breteche [25] gives a result of surprising generality and 
strength stating that, under some conditions, the proportion of smooth num- 
bers among the sums a + b, where a G A and b G E is close to the expected 
value for a wide class of sets i,BC2. 

For example, let A and B be two sets of integers in the interval [l,x]. 
Then, for any fixed e > and uniformly for 

exp ((logx) 2/3+e ) < y < x, 



28 



we have 

#{(a, b) G A x B : a + 6 is y-smooth} 
= p(u) ■ #A#B (l + O 



x \og{u 



VWZWBlogy 

where, as usual, u is given by (jSJ). 

Although the authors are unaware of any immediate cryptographic ap- 
plications of this result, we underline its high potential, given its generality 
and "condition-free" formulation. 

Several other relevant results are given by Croot [51] . 



7.9 Smooth Polynomials Over Finite Fields 

In full analogy with the case of integers, we say that a polynomial F G K[x] 
over a field IK is /c-smooth if all irreducible divisors / | F satisfy deg / < k. 

For a finite field W q of g-elements we denote 
N q (m, k) = #{f G IFjx] : deg / < m f is ^-smooth and monic}. 
Define 

m log q m 

u 



k log q k 

(the last expression makes the analogy with formula ([6]) completely explicit). 

The systematic study of N q (m, k) dates back to the work of Odlyzko |133] 
who also discovered the relevance of this quantity to the discrete logarithm 
problem in finite fields. 

Several very precise results about N q (m,k) have recently been given by 
Bender & Pomerance [T3]. For example, by [HI Theorem 2.1] we have 

N q (m,k) = 

as k — > oo and u — > oo, uniformly for q k > m(logm) 2 , and by [TH Theo- 
rem 2.2] we also have 

m 

NJm,k) > — 



for k < 



"m. 
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8 Distribution of Divisors 

8.1 More On Intuition 

We have already seen in Section 14.11 that carelessly applied intuition may 
lead to wrong conclusions. The following is yet another example. 

It is obvious that the density of perfect squares n = d 2 is extremely small 
as there are only [y/x\ perfect squares up to x. 

Let us relax the relation n = k 2 and consider n = km with k < m < k imi 
for k,m e N. Such integers can be called quasi-squares. 

It is natural to ask whether the density of quasi-squares is still small. Say, 
are there only o(x) quasi-squares up to x? As the below results indicate, such 
quasi-squares form a set of positive density which perhaps does not match 
the intuition (too bad for the intuition . . . ). 

8.2 Notations 

Given a sequence of integers A = (a n ), we denote 

H(x, y, z] A) = #{a n < x : 3 d\a n with y < d < z}. 
As usual, in the case of A = IN we define 

H(x,y,z) = H(x,y,z;¥l). 

8.3 Natural Numbers 

This case goes back to two old questions of Erdos: 

Given an integer N what is the size M(N) of the multiplica- 
tion table {nm : 1 < m, n < \/N } ? 

and 

Is it true that almost all integers n have two divisors d\ \ n 
and di \ n with di < di < 2di ? 
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Hall & Tenenbaum's book [ST] contains a very detailed treatment of such 
questions. For example, for the size of the multiplication table we have 
from [64, Corollary 3] 

N 

M(N) 



(logiV) 5 (loglogA0 3 / 2 
.V ► x . where 

5= !_1±^82 = 0.008607... (14) 
log2 v ; 

is the Erdos number, see also |156[ Theorem 23] for a slightly less precise 
result. 

Ford [64] has recently obtained a series of remarkable improvements of 
several previously know results. Several related results can also be found 
in [261 ESI EFJ 11081 1156j . Unfortunately, exact formulations of precise results 
lead to rather cluttered technical conditions and estimates, which also depend 
on the relative sizes of x, y and z as well as on z — y and z/y. Thus we limit 
our discussion to only a few sample results. 

For example, let us define v > by the relation 

z = y l+1 ' v . 

Then, by [641 Theorem 1] for any real x, y and z with 

x > max{100000, y 2 } and x > z > y > 100 

we have 

H(x,y,z,M) ^j Alogv)-^ if 2y <*<„', 

X \ 1 Xz>y 2 , 

where 5 is the Erdos number. 

In particular, we see that for e > and any sufficiently large y, we have 

H(x,y,y 1+£ ,1N) » x, (15) 

where the implied constant only depends on e > 0. Thus, there is a positive 
density of integers n < x, depending only on e > 0, which have a divisor 
d | n in the interval d G [y, y 1+£ ]- 
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We now prove (I15p in the special case where y is a power of x. That is, 
we prove that for < a < (5 < 1: 

H(x, x a , x 13 , IN) > x. (16) 

In our proof we consider only prime divisors p G [x a , x@] (instead of integer 
divisors) and make the following two trivial observations: 

• there are x/p + 0(1) integers n < x divisible by p; 

• each n < x may have at most K = of them. 

Hence, 

H(x,x a ,x^^)>^ Yl + 

and the sum on the right hand side counts every integer n < x with a prime 
divisor p e at most K times. Therefore 



x a <p<xt ) ^ 



x b ) 



By the Mertens formula, we now obtain 

H(x,x a ,x^,^) > ^ (loglog^) -loglog(x a ) + o(l)) 

x ( log(x^) 

if log ^+0(1)% 



if V \a 

and fTTBT) follows. 



There are other tell tale signs that integer divisors are densely distributed. 
For example, for an integer s > 1 we denote 

rpl \ + l 

1 (n) = max — — , 

i=l,...,r(n)-l di 

where 1 = d\ < . . . < d T ( n ) = n are the positive divisors of n. Clearly, 

T{n) < P{n). 
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However, for many integers T(n) is much smaller than P(n). By a result of 
Saias |143l Theorem 1], we know that for any fixed t and sufficiently large x, 

r^, X -, XlOgt 

#{n<x : Tin) < t] x — — . 

logx 

8.4 Shifted Primes 

Ford [01] has given upper bounds on H(x, y, z\ V a ) of about the same strength 
as these applying to H(x,y, z;J\f), where V a is defined in Section I2T31 

The situation with lower bounds H (x, y, z; V a ) is quite bleak, although 
heuristically there is little doubt that H (x, y, z; V a ) should behave similarly 
to H(x, y, z; Af). 

One of the very few known lower bounds (yet, with many cryptographic 
applications) is given in [6U Theorem 7]: for a ^ and < a < (3: 

H(x,x a ,xP,V a ) > vr(x) 

(where the implied constant depends on a, a and (3). 

The proof is similar to our proof of ()16p . but requires some technical 
analytic number theory tools, namely, the Bombieri-Vinogradov theorem, 
see Section 13.11 since instead of integers n < x with p \ n we need to count 
primes q < x with p | (q — a). 

To implement this approach one also needs the elementary observation 
that is enough to consider only the case < a < (3 < 1/2 (since if d-i-n then 
n/d is also a divisor of n). 

Finally, we remark that the Brun pure sieve (that is, a properly truncated 
version of the inclusion-exclusion principle), see [861 Theorem 2.3], or |156[ 
Theorem 3, Section 1.4.2], immediately implies that for any a ^ 

H(x,y,z;P a )=^l + o(^)j^{x). (17) 

For example, the bound fTTTj) can be used for the analysis of some cryp- 
tographic attacks Cheon [35] . 
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8.5 Polynomials 

Unfortunately there seem to be no results about the distribution of integers 
divisors of polynomials. Nonetheless, this problem does not look hopeless. 

8.6 Cardinalities of Elliptic Curves 

As in the case of polynomials, there seem to be no results about the dis- 
tribution of divisors of cardinalities of elliptic curves over finite fields. The 
question is certainly hard but not completely hopeless and deserves to be 
studied. Furthermore, Menezes & Ustooglu |124j point out that this ques- 
tion has direct cryptographic applications. 

It is probable that for the set of all elliptic curves over a given finite 
field W q new results can be obtained by combining the Brun sieve technique, 
see [86l Theorem 2.3], or |156[ Theorem 3, Section 1.4.2] with results of 
Howe [97] on divisibility statistics of elliptic curves. 

8.7 Totients 

Here is another confirmation that totients are not typical integers. 

As we have mentioned, H(x,y, z;V a ) is expected to behave similarly to 
H(x, y, z; A/"). However the behaviour of H (x, y, z; <^(IN)) is very different. 

Given that typical values of the Euler function 

• have more prime divisors, due to a result of Erdos & Pomerance [59], 

• have more integer divisors, due to a result of Luca & Pomerance |118] , 

• are smoother, due to a result of Banks, Friedlander, Pomerance & 
Shparlinski [ID] , see also Section [731 

than a typical integer, it is also natural to expect that totients have denser 
divisor sets. This is supported by several recent results of Ford & Hu [66] , 
who in particular show that 

• uniformly over 1 < y < x/2, we have H(x, y, 2y; </j(lN)) ^> x; 
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• for y = x°^\ we have H(x, y, 2y; <^(XN)) ~ x\ 

• for a positive proportion of integers n, there is a divisor d \ f(n) in 
every interval of the form [K, 2K], 1 < K < n. 

9 Cryptographic Applications 

9.1 Smoothness in Factoring and Discrete Logarithms 

Most integer factorization algorithms, such as Dixon's method, the Quadratic 
Sieve, index calculus, the Number Field Sieve or Elliptic Curve Factoring 
have been designed and analyzed (either rigorously or heuristically) using 
our current knowledge and understanding of smooth numbers. The same 
also applies to many primality tests and algorithms for solving the discrete 
logarithm problem. 

Results about the arithmetic structure of "typical" integers are therefore 
of high cryptographic relevance. As most results are already well publicized 
in the community, we illustrate them by one example (next section) and refer 
the reader to [50] for further information. 

Nonetheless, new results and applications keep appearing regularly. The 
works of Croot, Granville, Pemantle & Tetali [53] and of Agrawal, Kayal & 
Saxena [I] are typical examples. 

In [53] various results about the arithmetic structure of integers are used 
to give a very precise analysis of Dixon's factoring algorithm. In [1] results 
about shifted primes with a large divisor, see Section 17.31 form the core of 
the algorithm. 

9.2 Index Calculus in F* 

We start by highlighting the role of smooth numbers in algorithms solving 
the Discrete Logarithm Problem: 

Namely, given two integers a and b and a prime p we consider the problem 
of computing k (denoted k = Dlog a b) such that b = a k (mod p) and < 
k <p-2. 
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The algorithm is assembled in two steps. We first use a certain (very 
strong) assumption and then show how to get rid of it. 

Initial Assumption: Let us fix some y (to be optimized later) and assume 
that we know the discrete logarithms of all primes p±, . . . ,p s up to y where 
s = ir(y). 

Under this assumption we perform the following steps: 

Step 1: Pick a random integer m and compute 

c = ba m = a k+m (modp), < c < p. 

Note that 

Dlog a c = Dlog a b + Dlog a a m = Dlog a b + m (mod p — 1). 

The cost of this step is negligible. 

Step 2: Try to factor c, assuming that c, treated as an integer, is ^/-smooth. 
Let 

c = pT---pT 

For doing so use trial division or the elliptic curve factorization algo- 
rithm 

Note that 

Dlog a c = aiDlog a pi + . . . + a s D\og a p s (mod p- 1). 
The cost of this step is about y operations (less if [111] is used). 
Step 3: If the previous step succeeds, output 

Dlog a 6 = aiDlog a pi + . . . + a s D\og a p s - m (mod p- 1), 
otherwise repeat the first step. 

The cost of this step is about p/^(p,y) = u>p +0 ^ Up iterations, where 

\ogp 

u p = 

log?/ 

(under the assumption that c < p is a random). 
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Thus the total cost, ignoring nonessential factors, is about yu p p . 
Taking y = exp (v^logplog log p) we get an algorithm of complexity 

exp ^2 \J log p log log p J 

but. . . it is premature to celebrate the victory, as we need to get rid of the 
assumption that the discrete logarithms of all small primes are available. 

Removing the Assumption: We apply the same algorithm for each pi, 
i = 1, . . . , s as b. Then at Step 3 we get a congruence 

Blog a pi = a lii D\og a p 1 + . . . + a S:i D\og a p s - rrii (mod p - 1), 

for i — 1, . . . , s. 

We cannot find D\og a Pi immediately but after getting such relations for 
every p^ i — 1, . . . , s, we have a system of s linear congruences in s variables. 
If the system is not of full rank we continue to generate a few relations until 
a full rank system is reached (this overhead is negligible as most "random" 
matrices are non-singular). Therefore the cost of creating such a system of 
congruences is about y 2 Up p and the cost of solving it is about y 3 (lesser if 
fast linear algebra algorithms are used, see, for example, [75]). 

Choosing y optimally, we obtain an algorithm of complexity 

exp (o (Vlogplog logp)) • 

The above approach can be improved and optimized in many ways finally 
yielding a subexponential algorithm of asymptotic complexity 

exp (V ( 2 + (!)) logplog logp) 

that can also be rigorously analyzed; this is done by Pomerance in [136J. 

We have presented the above example because of its illustrative value 
although a much faster algorithm exists: the number field sieve, see [50] . 
whose complexity is exp (O ((logp) 1//3 (loglogp) 2 / 3 )). 

One can note that the above approach uses both the structure of finite 
fields and the properties of smooth numbers. Thus a prime field is substantial. 
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Over an extension of a field of small characteristic, such as D^V, elements 
can be represented by polynomials and thus smooth polynomials play the 
role of smooth integers. Hence, the results of Section 17.91 become of great 
importance. 

We note that despite a very common belief that the discrete logarithm 
problem is solvable in subexponential time, this is not proved as we write 
these lines. 

In other words, although over the last decade fast heuristic algorithms for 
the discrete logarithm problem have been designed to work over any finite 
field, rigorous subexponential algorithms are known only for very specific 
fields (such as prime fields W p , their quadratic fields W p 2 or fields W p ™ with 
a fixed p), see [501 Section 6.4] for more details. 

It is also clear that the above approach does not apply to the discrete 
logarithm problem in the elliptic curve settings where smoothness admits no 
analogous notion. 



9.3 Textbook ElGamal Encryption 

The ElGamal cryptosystem [57] makes use of two primes p, q with q \ p — 1 
and an element g G F p of order q (all of which are public), see also [301 
Section 8.6], or [123[ Sections 8.4.1 and 8.4.2], or |151[ Section 6.1] for further 
details. 

The receiver chooses a random private key element x G 7L q and computes 
the public key X = g x G Z g . 

Encryption: To encrypt a message /x G F p , the sender chooses a random 
r G Z 9 , computes R = \iX r G W p , and Q = g r G W p and sends the pair 
(R,Q) = (fxX r ,g r ). 

Decryption: The receiver computes (in F p ) 

S = Q X = g xr = X r and | = A = p. 

As most public key cryptosystems, the ElGamal protocol is quite slow. It 
is hence traditionally used to wrap a block-cipher key used for securing the 
subsequent communication flow. 
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Doing this in a "textbook fashion" , means that p is a rather small integer. 
For example, p can be about 500 bits long to thwart discrete logarithm 
calculation attempts, but p can be only 80 bits long to resist the brute force 
search. 

Boneh, Joux & Nguyen [23] have shown that in this case, with a reason- 
able probability, p can be recovered significantly faster then by any of the 
above two attacks. 

Let Q q be the subgroup of F* of order q generated by g. We note that 
R = pU where U G Q q . 

Let us assume that 1 < p < M (where M is much smaller than p). We 
also choose some bound K which is a parameter of the algorithm (controlling 
the trade-off between complexity and success probability). 

Step 1: Compute R q = p q U q = p q . 

Step 2: For k — 1, . . . , \K~\ compute, sort and store k q in a table. 
Step 3: For m — 1 , . . . , \Mj K\ compute 



and check whether this value is present in the table of Step 2. 
Step 4: Output fi = km if there is a match. 

This algorithm always works with K = M (for example, m = /i, k = 1, 
which is essentially a form of brute force search). 

A better choice is K = M l / 2+e . Using ([[6]), we see that the algorithm 
succeeds for a positive proportion of messages. That is, it works because 
with a sufficiently high probability a random positive integer p < M has a 
representation p = km with 1 < k,m < M l l 2+e . 

In other words, taking M = 2 80 (as in the above example as a standard 
key size for a private key cryptosystem) we see that the attack runs in a little 
more than 2 40 steps. 
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9.4 Affine RSA Padding 



The RSA signature scheme [140] makes use of the following parameters: a 
composite modulus N, a public exponent e and private exponent d which 
satisfy the congruence: 



see also [30], Section 8.3], or |123[ Section 8.2], or [1511 Section 5.3]. 

The signature s e Zjv of a message m G TLfq is computed as follows: 
s = m d (mod N). Verification consist in checking that m = s e (mod N). 

If this is applied in this "textbook" form, the scheme becomes susceptible 
to a chosen message attack which works as follows. 

Assume that the attacker, wishing to sign a target message m, has the 
ability to ask the legitimate signer to sign seemingly meaningless messages. 
Then the attacker can: 

• choose a random mi and compute 



• query the signatures Sj = mf (mod N) for % = 1, 2 from the legitimate 
signer; 

• and compute s = Sis 2 (mod N). 
This works because 



In other words, because RSA is homomorphic with respect to multiplica- 
tion, a multiplicative relation between messages shadows a similar relation 
between the signatures. 

A natural defense against this attack is to restrict the signature and the 
verification algorithms to messages of a prescribed structure. For example, 
if N is n bits long, it is requested that the meaningful message part m is 
only i bits long to which a fixed (n — £)-bit string (called padding pattern) 



ed = 1 (mod <p(N)) 



m 2 = — (mod N); 
mi 
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is appended. Clearly in the above example mi can be chosen to comply with 
this format but m 2 is unlikely to fulfill this constraint, which thwarts the 
attack. 

In the case of affine padding, signed messages have the following structure: 
fixed (n — £)-bit padding P | £-bit message m 

Thus, denoting R{m) = P + m we see that the signature s{m) of an I bit 
message m is computed as 

s(m) = R(m) d (mod N), 1 < s(m) < N, 

(that is, P = 2 e U where II is the appended padding pattern). 

In a thread of works by Misarsky [128] , Girault & Misarsky [77J [78] and 
Brier, Clavier, Coron & Naccache [28], existential forgery attacks on afline- 
padded RSA signatures have been progressively developed and refined. 

Lenstra & Shparlinski |llUj have improved [2H] by redesigning it as a 
selective forgery attack, where the attacker can sign any message. 

Let us start by presenting the basic technique introduced in [28J. 

Our goal is to find four distinct £-bit messages m 1 ,m 2 , m 3 , m 4 such that 

fl(mi) • R(m 2 ) = R(m 3 ) ■ R(m A ) (mod N). (18) 

In this case we obtain 

s(mi) ■ s{rri2) = s(m 3 ) • s(m 4 ) (mod N), 

and hence a signature on m 3 can be computed from signatures on mi, m%, m A . 
In [28] this has been applied to the case where all four messages are considered 
as variable m 1 ,m 2 ,m 3 ,m4 (which leads to an existential signature forgery), 
while in |11U] the message m A is assumed to be fixed (which leads to a selective 
signature forgery). 

One verifies that the congruence (jT8j) is equivalent to 

P(m 3 + m 4 — mi — m 2 ) = mim 2 — m 3 m 4 (mod N). 

With 

x = mi — m 4 , y = m 2 — m 4 , z = m 3 + m 4 — m 4 — m 2 
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this becomes 

(P + m 4 )z = xy (mod N). (19) 

We note that if m 4 is already chosen, the values of x, y and z define mi, rri2 
and m 3 uniquely. 

The congruence ffl~9l) is trivial to solve without any restrictions on the 
variables, but in fact we need "small" x, y and z about I bits long, which is 
a much harder constraint to deal with. 

We show how to solve it when 

Before we proceed with the algorithm we note that this choice of I is 
close to the limit of this approach given that for any fixed e > a "typical" 
polynomial congruence in three variables 

F(x,y,z)=0 (mod iV) (20) 

is unlikely to have a integer solution (x, y, z) with 

1 < x,y,z < N 1/3 ~ e . (21) 

This is because F(x,y,z) takes only jV 1 " 3 ^ possible values for such x, y 
and z, thus (120!) is solvable under the condition (1211) only with exponentially 
small "probability" of order N~ 3e (this estimate assumes that F behaves like 
a random trivariate function and hence must not be taken literally). 

Now, to find £-bit solutions to the congruence f)19p we first consider the 
congruence 

(P + s)z = w (mod N), (22) 
where \s\ < A rl / 3+e is given and the variables w and z satisfy 

w < ^2/3+2^ | z | < N l/3 _ 

Let Ri/Qi denote the i-th continued fraction convergent to (P + s)/N, 
i = 1,2,.... 

Then 

P + s Ri 
N ~Ql 
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< 



i+l 



We now define j by the inequalities Qj < N 1 ^ 3 < Qj+i and set 



w= \(P + s)Q J - NPj\. 

Then 

< w < -— - < N 2/3 and (P + s)z = w (mod N) 
Qj+i 

for some z with \z\ < N 1 ^ 3 , namely z = ±Qj. 

Now, one can certainly try to apply the above procedure with s = 
and then check whether w can be factored as w = xy with 1 < x, y < 2 e . 
However, this would unfortunately happen only for a rather sparse sequence 
of messages m^, so we may try to randomize the above idea as follows: 

• Pick a random integer r with < r < N £ /2 and find 

w= (P + m 3 -r [N 1/3 \ ) z (mod N) 
with 1 < w < N 2 / 3 . 

• Let u = w + r [iV 1 / 3 ] z, thus 

u = (P + m^)z (mod N) 
and 1 < u < N 2 / 3+e (provided that N is large enough). 

• Try to factor u using the elliptic curve factoring method which requires 
exp ((2 + o(l)) ^logploglogp) (logiV) ^ bit operations, where p = 
P2{u). Abort this steps if this takes longer then some selected time 
bound. Thus we abort this steps if Pziu) is large. 

• Try to find x, y with u = xy and 1 < x, y < I 1 . 

• If successful, compute mi,m 2 , m 3 , otherwise try another pair (it, z). 

The above works because eventually we hit a reasonably good u of the 
form u = P(u)v where p = P{u) < l^fu and P(v) = Pziu) is small. 

For such a u it is easy to find a representation u = xy with integers x 
and y of the desired size, 1 < x, y < 2 e . 
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The algorithm seems to be very hard to analyze rigorously, but the heuris- 
tic analysis given in |llUj predicts the runtime as Ljv(1/3, 1) which is sub- 
stantially faster than 

l/3> 



(^f ) 



where 



L N {a,-y) = exp ((7 + (l))(logiV) Q (loglogiV) 1 " a ) . 

for N — > oo. 

Furthermore, Lenstra & Shparlinski [11U] give a 1024-bit affme padding 
forgery example while direct factorization of moduli of this size is currently 
beyond reach. 

A challenging open question is to find a way to use more signatures and 
thereby extend the range of I which can be attacked. Recent progress on 
this question, from a rather unexpected direction, can be found in a work by 
Joux, Naccache & Thome [101] . 

Finally, although unrelated, other recreative applications of ad-hoc fac- 
toring in cryptanalysis can be found in [37] and 



9.5 Desmedt-Odlyzko Attack 

The attacks that we have just described work because of the inability of the 
affine padding to eradicate the homomorphic properties of RSA. However, 
there are other attacks that apply in theory to any type of message padding. 

In [55], Desmedt & Odlyzko describe an existential RSA signature forgery 
scenario. Here, the opponent is allowed to query from the legitimate signer 
e-th roots (signatures) of validly padded messages of his choosing. Having 
done so, the opponent crafts a new validly padded signature of his own on a 
message left unsigned by the legitimate signer. The attack works as follows: 

Step 1: Select a bound y and let p±, . . . ,p s be the primes up to y, that is, 
s = ix{y). 

Step 2: Find k+1 messages m 8 which are y-smooth and factor them 

k 

mi = Y[l'i 

3=1 
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(for example, using elliptic curve factorization [11 Ij or trial division). 
Step 3: Solve in u±, . . . , u k G {0, . . . , e — 1} 

k 

} J QiijUi = a k+ i (mod e), j = 1, . . . , k, 

i=i 

and write 

k 

22 a iJ U i + 7i e = a k+l, j = 1, • • • , k. 
i=l 

Thus 

k 

mfc + i = r e J^Jm" i (mod A r ), 

i=l 

where 

Step 4: Obtain from the legitimate signer the signatures on m ; for z = 
1, . . . , k and forge the signature on m k+1 as 

k k 
s = r Y\ sT = r Y\ m i Ui ( m od N). 

i=l i=l 

We see that s is a valid signature since: 

it fc 
s e = r e Y[ mf Ul =r e Y[ = m d k+1 (mod N) . 

t=l i=l 

Clearly, in a real-life scenario, instead of generating the y-smooth mes- 
sages mi, . . . , rrik on which valid signatures are required, the attacker may 
also passively monitor the legitimate date exchange and test each signed 
message for smoothness, putting aside smooth messages together with their 
signatures. 

Using such a strategy, the expected occurrence of a smooth m is about 
once in 

N _ (l+o{X))u N 

m,y) N 
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signature rounds, where 

logiV 

U N = "j 

logy 

(under the assumption that m < N is random). 

Thus, the effort of collecting y messages is yu N which for 



y = exp ( \/0.5 log iV log log N 



optimizes as exp yy (2 + o(l)) log N log log N 

Coppersmith, Coron, Grieu, Halevi, Jutla, Naccache & Stern [15] added 
a number of improvements and generalizations to this attack and applied it 
successfully to a number of industry standards. 



9.6 Small Prime Based Public-Key Encryption 

Products of small primes can also be used for public-key encryption. The 
idea, due to Naccache & Stern |131j . is based on the following problem: 

Given a prime p, a positive integer f < p and a set of integers 
{vi, . . . , v n }, find a binary vector x such that 

n 

f = Y[vf* (modp), 

8=1 

if such a vector exists. 

It is easy to observe that if the vi, . . . , v n are relatively prime and much 
smaller than p, then the exponent vector x can be found in polynomial time 
by factoring /. Indeed, instances where 

n 

p > Y\ v i an d gcd (vi, Vj) — 1, 1 < i < j < n, 

t=i 

are easy. 

Such an easy instance can be hidden by extracting the s-th modular root 
of each Vi, where s is a secret integer with gcd(s,p — 1) = 1. 
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More formally, let p be a large public prime and denote by n the largest 
integer such that: 

n 

p > Y[pi 

where Pi is the z-th prime. 

The secret- key s < p — 1 is a random integer such that gcd(p — 1, s) = 1 
and the public-keys are the s-th roots: 

Ui = p\ = (mod p), < Mj < p, i = 1, . . . , n, 

where r satisfies 

rs = 1 (mod p — 1). 
An n-bit message (mi, . . . , m n ) is encrypted as 

n 

c = Y\ 1 H i (mod p) 

and recovered by computing 

/ = c s (modp), < t < p, 

and then 

_ / 0, if Pi \f, ._ 
mi -\l, if Pi \f, 

We refer the reader to [131] and [37] for more information on this some- 
what unusual public-key encryption scheme, whose encoding idea dates back 
to 1931, see Section I9TT1 



9.7 Godel Numbers 

In his famous work published in 1931, Godel [79] uses a mapping of mathe- 
matical expressions into integers based on divisibility by small prime factors. 

Godel [79] starts by assigning a unique natural number r(£) to each basic 
mathematical symbol £ in the formal language of arithmetic he is dealing 
withal (in other words r is a symbol-to- integer dictionary). 

3 for example, £ £ {3,V, =>, +, x , -j-, 0, 1, 2, . . .} 
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To encode an entire mathematical expression H, which is nothing but an 
ordered sequence of mathematical symbols: 

E = (&,...,£„)■ 

Godel [75] uses the following system: Each atomic symbol being associated 
to a positive integer via r, the mathematical expression is mapped into IN 
as: 

n 

r(H)=n^ (6) eIN, (23) 

i=l 

where pi stands for the i-th prime. 

Given that any number obtained this way can be uniquely factored into 
prime factors, it is possible to effectively and unambiguously recover any 
mathematical expression H from its Godel number r(S) 023|) . 

Godel [7j5] uses this scheme at two levels: first, to encode sequences of 
symbols representing formulae, and second, to encode sequences of formulae 
representing proofs. This has allowed him to show a correspondence between 
statements about natural numbers and statements about the provability of 
theorems dealing with natural numbers, which is the cornerstone of the cel- 
ebrated Godel Incompleteness Theorem [75] . 

9.8 Error Correction with Products of Small Primes 

Interestingly, Godel's encoding (T2"3"l) can also be used for error correction. 

Error- correcting codes are used to protect information sent over noisy 
channels against transmission errors. In [4"5jll3Uj . Coron & Naccache describe 
an unusual error-correcting code based on modular arithmetic. 

Let m be the n-bit message to encode; we denote by rrii the 2-th bit of 
m. We let pi be the i-th prime, starting with p\ = 2. Let t be the number of 
errors which can be corrected. We generate a prime p such that: 

2pl <p< 4$ (24) 

(which, of course, always exists). 

Given m, we generate the following "redundancy": 

n 

c(m) = J^p™ 1 (mod p), < c(m) < p. (25) 
i=i 
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The integer c(m) is protected by using an error- correcting code /i resilient 
to t transmission errors. 

The encoded message E(m) is defined as E(m) = (m, /x(c(m))). 

Let E(m) be the received version of E(m) where at most t errors occurred: 

E(m) = E{m) © e 

where e is an error vector of Hamming weight at most t, and © stands for 
bit-wise addition. 

Splitting e = (e m , e c ) into parts corresponding to errors in m and to errors 
in yu(c(m)), we obtain 

E(m) = (m, c(m)) = (m © e m , /x(c(m)) © e c ). 



Since /i can correct t errors, and e c is only a part of e (whose total 
Hamming weight is t), c(m) can be safely recovered from /i(c(m)) © e c . 

The receiver computes: 

c(m) c(mffie m ) 

s = — — = — (mod p). 

c(m) c{m) 

Using fl25l) the integer s can be written as: 

s = a/b (mod p), 

where 

a = pi and 6 = p t . 

i=l,...,n i=l,...,n 
fhi=l fhi=0 
mi=0 rtii=\ 

Since m suffered at most t errors, we have 

max{a, 6} < p l n . 

A result of Stern, Fouque & Wackers [149] shows that given s one can 
recover a and 6 efficiently. The algorithm is based on the Gauss reduction 
algorithm for finding the shortest vector in a two-dimensional lattice [162] . 
More precisely, let p be an prime with p > 2AB for some AeE and BeR. 
Let a, b e Z be such that |a| < A and < b < B. Then given p, A, S and 
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s = ab~ x (mod p), one can recover a and b in polynomial time. Note that 
the condition p > 2AB guarantees the uniqueness of a and b. A very similar 
argument has been used in Section 19.41 to find small solutions to (122]) . 

Taking A — B — p!^ — 1, we have from (124"]) that 2AB < p. Moreover, 
< a < A and < b < B. Therefore, we can recover a and b from s in 
polynomial time. By testing the divisibility of a and b by the small primes 
Pi, . . . , p n , one can recover e m = m © m and hence m = m © e m . 

The process assumes the existence of an error correcting code /i. Note 
that /i can be nothing but the procedure that we have just presented in 
miniature. In other words, the described encoding procedure can be iterated 
to protect c(m) using a new, much smaller, set of primes. In turn, yet another 
encoding iteration is used at the third level of encoding and so on. Finally, 
the smallest and last layer can be protected by simple replication (2t + 1 
times) and decoded using a majority vote. 

The proposed code turns out to provide efficient decoding for some specific 
parameter combinations. For instance, denoting by fi Reed-Muller encoding, 
and assuming that 5812-bit messages need to be protected against 31 trans- 
mission errors, the size of /i(m) is 8192 bits, whereas the hybrid encoding 
(m, fi(c(m))) is only 7860 bits long. 

More examples and details can be found in [4~9l 1130] . The full asymptotic 
analysis of this scheme still remains to be worked out. 

9.9 Private Information Retrieval with Products of 
Small Primes 

A Private Information Retrieval (PIR) scheme is a combination of encod- 
ing and encryption which allows a user to retrieve the k-th bit of an n-bit 
database, without revealing to the database owner the value of k. 

Gentry & Ramzan [76J have used the Chinese Remainder Theorem and 
properties of products of small primes to design a PIR scheme. The construc- 
tion of [76] requires a cyclic group Q whose order t = j^Q has a prescribed 
arithmetic structure; namely a product of a large prime and a very smooth 
integers. This makes the results of [11] 1137] I159j relevant to this problem, 
see also Section l£T4l 
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9.10 Zero-Knowledge with Products of Small Primes 

A zero-knowledge proof (ZKP) is a protocol allowing Alice to convince Bob 
that she knows a secret s without revealing to Bob information on s. 

The best-known ZKP is probably the protocol of Fiat & Shamir [BU] which 
uses an RSA modulus N and k quadratic residues Vi as public parameters. 
In its simplest version, Alice uses the k modular square roots Sj such that 
s 2 = Vi (mod N) as secret identification keys. The protocol is: 

• Alice picks a random rGZ^ and sends to Bob x = r 2 (mod N). 

• Bob picks a random binary vector 

e = (e , . . . ,e fc _i) 

and sends it to Alice. 

• Alice replies to Bob with: 

fc-i 

i=0 

• Bob verifies that: 

fc-i 

y 2 = x Y\ V T (mod N). 

i=0 

To ease Bob's computational burden, Micali & Shamir [125j suggest to 
use very small ^-values. As it turns out, using small primes as v r values 
presents particular security and simplicity advantages. 

9.11 The Generalized Diffie-Hellman Problem 

Recently, several cryptographic schemes based on the following assumption 
appeared: 

Let g be an element of prime order p of a "generic" Abelian group Q. That 
is, we assume that Q is a group where only "generic" attacks, such as Shanks' 



51 



or Pollard's algorithms exist and take about Jp operations, see [501 Sec- 
tions 10.3 and 10.4], or |123l Sections 3.6.2 and 3.6.3], or [1511 Sections 6.2.1 
and 6.2.2]. For example, one may regard Q as the group of points on an 
elliptic curve over a finite field. 

The traditional Diffie-Hellman problem is defined as follows: 

Given g x and g y , compute g xy . 

Solving this problem is believed to be hard. 
Due to the identity 

and the fact that computing square roots in groups of prime order is easy 
the Diffie-Hellman problem can be reformulated in a shorter form: 

2 

Given g x , compute g x . 

On the other hand, many cryptographic protocols rely on the presumed 
hardness of the following generalized DifEe-HeUman problem: 

Given n powers g x , . . . g x " , compute g x " +1 . 

Intuitively it may seem that, despite the fact that more information on 
x leaks out in the generalized Diffie-Hellman settings solving it is not easier 
than solving the traditional Diffie-Hellman problem with the same parame- 
ters. 

Surprisingly, Brown & Gallant [29] and Cheon [35], have shown this in- 
tuition to be wrong. 

Here are some results of Cheon [35] : 

• given g x and g xd for some d \ p — 1, one can find x in time about 
O [y/p/d + y/d\ (which is O (p 1/A ) for d ~ ^p); 

• given g x , . . . g xd for some d \ p + 1 , one can find x in time about 
O (y/p/d + d) (which is O (p 1 / 3 ) for d ~ p 1 / 3 ). 
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This brings up the question of estimating the probability at which primes 
p are such that p ± 1 has a divisor d of a given size. 

More specifically, how rare are primes p such that p ± 1 has a divisor 
d G [ri 1 " 2 ,?^]? (which guarantees the asymptotically best advantage if we are 
given g x , . . . g x with n which is not too large). 

By the result of Ford from Section 18.41 we know that for every e > this 
happens for a positive proportion of primes p. 

Therefore, we conclude that the attack of [35] can be applied in its asymp- 
totically strongest form with a positive probability. In other words, the gen- 
eralized Diffie-HeHman problem is easier than the traditional Diffie-Hellman 
problem. 

In practical scenarios probably only small values of d can be used. In this 
case the bound (fT7|) can be applied. 

9.12 Large Subgroup Attack 

The Digital Signature Algorithm uses two large primes p and q such that q \ 
(p-1), see [301 Section 12.6], or [1231 Section 11.5.1], or [1511 Section 7.4.2], 

Suppose that p and q are generated using the following straightforward 
method: 

• select a random m-bit prime q; 

• randomly generate fc-bit integers n until a prime p = 2nq + l is reached. 

In |122j . Menezes introduces the Large Subgroup Attack on some crypto- 
graphic protocols, including a version of the HMQV protocol, see also |124] . 

The attack can be applied if n = (p — l)/(2q) has a smooth divisor s > q. 
Some upper bounds on the density of such primes with a large smooth divisor 
are given by Pomerance & Shparlinski |137j . 

However this result does not take into account the special structure of p 
(for example, the presence of a large prime divisor q | (p — 1)), so it does not 
(quite) apply. 

Furthermore, in the above situation lower bounds become more impor- 
tant. Determining such bounds is unfortunately a much harder question. 
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On the other hand, using the results of Banks & Shparlinski [TT] and 
Tenenbaum [159] mentioned in Section 16.41 one can get an estimate of the 
probability r)(k,£,m) that a fc-bit integer n has a divisor s > 2 m which is 
2^-smooth. Then, assuming that shifted primes p — 1 behave like "random" 
integers, one can address the original question (at least heuristically). 

The most interesting choice of parameters as we write these lines is: 
k = 863, m = 160, £ = 80 

(which produces a 1024-bit prime p). 

It has been shown in [11] that for these parameters, the theoretic estimates 
(together with some heuristic assumptions about the distribution of primes 
in the sequence 2qn + 1 for n having a large smooth part) suggest that the 
attack succeeds with probability 

7/(863, 80, 160) « 0.09576 > 9.5% 

over the choices of p and q. 

We also note that similar attacks on the ElGamal signature scheme and 
the Dime Hellman key exchange protocols, have been outlined by Anderson 
& Vaudenay [2]. 

9.13 Smooth Orders 

Let l(n) be the multiplicative order of 2 modulo n, gcd(2,n) = 1 (in the 
following 2 can be replaces by any integer a ^ 0, ±1). 

Motivated by several cryptographic applications, Pomerance & Shparlin- 
ski |137] has studied the smoothness of / (n) on integers and on shifted primes 
n = p—1. This arises from the desire to clarify whether g = 2 can safely serve 
as an exponentiation base in discrete logarithm based cryptosystemct How- 
ever, in order to avoid the Pohlig- Hellman attack l{n) must not be smooth, 
see [301 Section 10.5], or [1231 Section 3.6.4], or [1511 Section 6.2.3]. 

Also, Boneh & Venkatesan [23] have shown that the Diffie-Hellman pro- 
tocol with the g = 2 has some additional attractive bit security properties 
which are not known for other g values. 

4 Small values of g allow to significantly speed up square- and- multiply exponentiation. 
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Finally we recall that Pollard's (p — l)-factorization method works better 
when p | n features a smooth l(p), see [301 Section 9.2], or [501 Section 5.4], 
or [1231 Section 3.2.3], or |151l Section 5.6.1] for details. Some improvements 
of this algorithm have recently been suggested by Zralek [167] . 

Let us define the following counting functions: 

L(x,y) = < x : l(p) is y-smooth} 

and 

N(x,y) = #{n < x : l(n) is y-smooth}. 
Pomerance & Shparlinski |137j have shown that for 
exp ( A/log x log logx j <y < x, 

we have 

L(x,y) ««/) (|j 7r(z). 

It is also noticed in [137j that it seems quite plausible that in fact the 
bound also holds with p(u) instead of p(u/2), which means that the values 
of l(p) behave as "random" integers. 

In fact, this may even happen to be provable under the Generalized Rie- 
mann Hypothesis. However this has not been worked out yet and remains 
an interesting open question. 

Furthermore, Banks, Friedlander, Pomerance & Shparlinski [10] proved 
that for 



exp (^y log a; log log a; J < y < x 

we have 

N(x, < xexp ^— ( ^ + o(l)^ u log log u 

As in the case of L(x,y), one may expect that the same bound should 
hold with 1 instead of 1/2 in the exponent, but the appearance of log log u 
instead of logw seems to be right, see also Section [731 

9.14 Smooth- Order Based Public Key Encryption 

Smooth orders can also be used constructively to provide public key encryp- 
tion. Here is one such suggestion due to Naccache & Stern [132]: 
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Parameter Generation: Let s be a odd, squarefree, y-smooth integer, 
where y is a certain small parameter and let N = pq be an RSA modulus 
such that 

s | (p(n) and gcd ^ 



Typically, we think of y as being a 10 bit integer and consider iV to be at 
least 768 bits long. Let g be an element whose multiplicative order modulo 
N is a large multiple of s. Publish N, g and keep p, q and s secret (note 
that there are very few possibilities for s so its revealing does not give any 
dramatic advantage to the attacker). 

Generation of the modulus appears rather straightforward: pick a family 
Pi < . . . < pk of 2k small odd distinct primes and set: 

k k k 

w = IJpai-i, u = IJpm-i, s = iw; = JJpi (26) 

i=l i=l i=l 

(thus s is pfc-smooth). 

Find (using trials and primality testing) two large primes i and r such 
that both p = 2lu + 1 and q = 2rv + 1 are prime and let N = pq. 

Note that much faster key generation procedures exist, we refer the reader 
to |132j for more details. 

To generate g, one can choose it at random in 7Ln and check whether 
it has the possible order (p(N)/4 or <p(N)/2 modulo N, Note that for any 
N multiplicative orders of elements of 7L^ are divisors of the Carmichael 
function A(iV); in the above case X(N) = (p(N)/2. 

The main point is to ensure that g is not a prth power modulo N for 
each % — 1, . . . , k by testing that 

g <p(n)/ Pi ^ 1 ( modA r) ; i = l,...,fc. 
The success probability is: 



i=l v Vl 



If the pi, . . . ,pk are the first k odd primes, this in turn can be estimated 
by the Mertens formula as p ~ 1/ log k. Another method consists in choos- 
ing, for each index i < k, a random g$ until it is not a prth power. With 
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overwhelming probability 

9 fin: 1 

1=1 

has the multiplicative order at least <£>(n)/4. 

Encryption: A message m < s is encrypted as 

c = g rn (mod iV) . 

Decryption: The algorithm computes the value mj of the residue of m 
modulo each prime factor pi, % — 1, . . . , k of s given by (j26|) . and recovers the 
message by the Chinese Remainder Theorem, following an idea of Pohlig- 
Hellman [T35], see also [50lfT23]. 

Now for every i = l,...,k, to find m^, given the ciphertext c = g m 
(mod A), the algorithm computes 

where the congruence m = rrii (mod is used at the last step. 
By comparing this result with all possible powers 

g Mn)/ P% j=0,..., Pl -l, 

the algorithm finds out the correct value of mj. 

The basic operation used by this (non-optimized) algorithm is a modular 
exponentiation of complexity O ((log A) 3 ), repeated at most : 

kp k < k 2 log k < (log A) 2 log log A 

times. Decryption therefore takes O ((log A) 5 log log A) bit operations. 
We refer the reader to [132] for more details and optimizations. 

9.15 Oracle- Assisted Integer Factorization 

Maurer |120] has designed an algorithm which for any e, given an integer 
A, requests at most e log A bits of information and factors A in polynomial 
time. 
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Unfortunately a rigorous analysis of this algorithm requires very precise 
results about the distribution of smooth numbers in short intervals which 
currently seems to be beyond reach. Accordingly, the main result of |120j is 
conditional and relies on heuristic assumptions. 

9.16 Pratt Trees 

Highly critical security applications sometimes require primality proofs. Here 
is a way to provide such proofs, due to Pratt [138J 

• Check that the would-be prime p is not a perfect power. This is easy, 
see, for example, [T6| \T7\. 

• Produce a primitive root g modulo p and provide a proof of this. For 
that sake it is enough to verify that 

g p - 1 ^ 1 (mod p) and g^/i ^ 1 (mod p) 

for all prime divisors q | (p — 1), so the list of these primes q must also 
be supplied. 

• Give a proof that each such q is prime by iterating the above procedure. 

The whole algorithm can be viewed as a tree, called the Pratt Tree, where 
each node contains a prime (with p as a root) and with 2 at each leaf. 

The algorithm runs in polynomial time and in particular shows that the 
decision problem PRIMES is in the complexity class NP (which is not so 
exciting nowadays given that, thanks to [T], we know that PRIMES is actually 
in P). 

Pratt [138j has shown that the number of multiplications required by this 
algorithm is (9((logp) 2 ). On the other hand, Bayless [13] shows that this 
number is at least C logp for any fixed C > 1 and for almost all primes p. 

There are, however, many other interesting questions about this tree, 
such as estimating its height, number of nodes, number of leaves, and so on, 
in extreme cases and also for almost all primes. 

For example, it is obvious that the Pratt Tree's height H(p) satisfies the 
inequality 

H{p) < log p. (27) 
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One can also infer from more general results of Katai [104] that for some 
constant c > the inequality 

H{p) > clog log p (28) 

holds for almost all primes p. 

Ford, Konyagin & Luca [67] have recently given a heuristic argument 
suggesting that 

H{p) > ; : 

log logp 

for infinitely many primes p and also a rigorous proof that 

H{p) < (logp) 09622 

holds for almost all p. It is also shown in [67] that ff28l holds for almost all 
primes p with any 

1 

c < . 

l + log2 

It seems that the lower bound 02 8|) is of the right order of magnitude and in 
fact some heuristic arguments, given in [67], lead to the conjecture that 

H(p) = eloglogp + O (log log logp) 

for almost all primes p. 

A number of other challenging open questions and conjectures can be 
found in [67] . 

Studying other characteristics of the Pratt Tree is also an interesting and 
little-researched open question. 

For instance, Banks & Shparlinski [12] have shown that the length L(p) 
of the chain p i— > P(p — 1) satisfies 

iW>(l + o(l)) f ife- (29) 
log log logp 

for almost all primes p. This corresponds to a particular path in the Pratt 
Tree. Furthermore, it may be natural to expect that this should actually be 
the longest path for almost all primes, so it is possible that 

L(p) = (l+o(l))H(p) 
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for almost all primes p. On the other hand, it seems that L(p) < H(p) 
holds for almost all primes p. Clarifying the matter is an important research 
challenge. As a first step one may for instance try to use the methods of [671 
flOlj to improve ([29]) up to the level of (125)1 . 

9.17 Strong Primes 

A prime p is called strong if p — 1 and p + 1 have a large prime divisor, and 
p—1 has a prime divisor r such that r — 1 has a large prime divisor, see |1231 
Section 4.4.2]. 

To make this definition more formal we say that p is y-strong if p + 1 has 
a large prime divisor q > y, and p — 1 has a prime divisor r such that r — 1 
has a prime divisor £ > y. 

We note that the combination of [10] and [137] (see Sections 17.31 and 17.51) 
implies that almost all primes are ^/-strong as logx/ logy — > oo. 

Indeed, the cardinality of the set of primes p < x such that p + 1 is 
?/-smooth is exactly the function irx(x,y) discussed in Section [7T3l 

From the set of remaining primes p<iwe remove those for which p—1 
is divisible by r 2 for a prime r > y. Since the number of primes p < x with 
p = 1 (mod r 2 ) is at most x/r 2 , the cardinality of this set can be estimated 
trivially as 



Hence it is easy to see that if one of the remaining primes is not y-strong 
then ip(p — 1) is y-smooth and thus the bounds of Il_i(x, y) from Section [731 
can be applied. 

9.18 Small Prime Based Hash Functions 

The Very Smooth Hash function, VSH, recently introduced and studied by 
Contini, Lenstra & Steinfeld [12], is defined as follows. 

Let pi denote the i-ih prime number and let 

A' 




r>y 



Qk = \\vi 
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denote the product of the first k primes. 
Assume that integers k and N satisfy 

Qk < N < Q k+1 . (30) 

Let the message length £ < 2 k be a positive integer whose fc-bit represen- 
tation (including all leading zeros) is t = X± . . . that is 

k 

£ = ^A J 2- 1 . 
i=i 

The VSH takes an £-bit message m — jiii, . . . , ^ and hashes it (in a very 
efficient way, via a simple iterative procedure) to 

k 

h N (m) = Y[p e i (mod N), < h N {m) < N, 

i=l 

where L = \£/k~\ , fi s — 0, for £ < s < Lk, fiLk+i = K, for 1 < i < k, and 

L 

e i = ^ ^ f^jk+i^ 5 > i = 1, . . . , k. 

j=0 

It is demonstrated in [12] that the VSH also admits a rigorous collision- 
resistance proof based on "natural" number theoretic problems which are 
presumably hard. As the above problem is related to factoring, it is natural 
to choose N = pq to be an RSA modulus. The design and the suggested 
parameter choice are both based on classical facts about the distribution of 
smooth numbers. 

In [18], Blake & Shparlinski harness results about the distribution of 
smooth numbers to provide rigorous support in favor of the security and the 
distribution properties of the VSH. In particular, [TS| shows that for almost 
all RSA moduli and any integer a, the probability that for a random £-bit 
message m we have /iAr(m) = a (mod N), is negligible for sufficiently large 
values of I. 

This bounds the collision probability and also the probability of finding 
a second pre- image by brute force. 

The above and several other results in [18] are based on the study of the 
multiplicative subgroup of ~E* N generated by p±, . . . ,Pk for integers N = pq 
where p and q are distinct primes, satisfying the inequality (I3"U1) . 
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10 Conclusion 



Our goal has been to position this paper at the crossroads of cryptogra- 
phy and number theory. We hope that while reading it cryptographers have 
enriched their arsenal with a large gamut of little-used, yet powerful, number- 
theoretic methods and results extending beyond the classical facts used in 
cryptology. On the other hand, it is our hope that number theorists have 
enjoyed learning how smooth numbers can be harnessed to provide encryp- 
tion, private information retrieval, identification, error correction, hashing, 
primality proofs and other cryptographic functions. Furthermore, final tun- 
ing and adjusting already known results and techniques may lead to new 
advances of intrinsic mathematical interest. Our outline, somewhat sketchy 
and simplified and also sometimes ignoring subtleties, cannot replace a care- 
ful and systematic reading of the original number theoretic and cryptographic 
literature, such as [50j [86j EH HOOl E56] and [321 [1231 EM] , respectively. 

11 Acknowledgements 

The authors would like to thank Kevin Ford for many valuable suggestions. 
This second author work was supported in part by ARC grant DP0556431. 

References 

[1] M. Agrawal, N. Kayal and N. Saxena, 'PRIMES is in P', Ann. of Math., 
160 (2004), 781-793. 

[2] R. Anderson and S. Vaudenay, 'Minding your p's and g's', Proc. Asi- 
acrypt'96, Lect. Notes in Comp. Sci., vol. 1163, Springer- Verlag, Berlin, 
2000, 26-35. 

[3] E. Bach, J. von zur Gathen and H. W. Lenstra, 'Factoring polynomials 
over special finite fields', Finite Fields Appi, 7 (2001), 5-28. 

[4] E. Bach and R. Peralta, 'Asymptotic semismoothness probabilities', 
Math. Comp., 65 (1996), 1701-1715. 



62 



A. Balog, 'On the distribution of integers having no large prime factors', 
Astensque, 147-148 (1987), 27-31. 

A. Balog, 'On additive representation of integers', Acta Math. Hungar., 
54 (1989), 297-301. 

A. Balog and C. Pomerance, 'The distribution of smooth numbers in 
arithmetic progressions', Proc. Amer. Math. Soc, 115 (1992), 33-43. 

A. Balog and T. D. Wooley, 'On strings of consecutive integers with no 
large prime factors', J. Austral. Math. Soc, Ser. A, 64 (1998), 266-276. 

R. C. Baker and G. Harman, 'Shifted primes without large prime fac- 
tors,' Acta Arith., 83 (1998), 331-361. 

W. Banks, J. B. Friedlander, C. Pomerance and I. E. Shparlinski, 'Multi- 
plicative structure of values of the Euler function', High Primes and Mis- 
demeanours: Lectures in Honour of the 60-th Birthday of Hugh Cowie 
Williams, Fields Institute Communications, vol. 41, Amer. Math. Soc, 
2004, 29-48. 

W. D. Banks and I. E. Shparlinski, 'Integers with a large smooth divisor', 
Integers, 7 (2007), # A17, 1-11. 

W. D. Banks and I. E. Shparlinski, 'On values taken by the largest prime 
factor of shifted primes', J. Aust. Math. Soc, 82 (2007), 133-147. 

J. Bayless, 'The Lucas-Pratt primality tree', Math. Comp., 77 (2008), 
495-502. 

R. L. Bender and C. Pomerance, 'Rigorous discrete logarithm compu- 
tations in finite fields via smooth polynomials', Computational Perspec- 
tives on Number Theory, Amer. Math. Soc, Providence, RI, 1998, 221- 
232. 

D. J. Bernstein, 'Bounding smooth integers', Proc. 3-rd Algorithmic 
Number Theory Symp., Lect. Notes in Comput. Sci., vol. 1423, Springer- 
Verlag, Berlin, 1998, 128-130. 

D. J. Bernstein, 'Detecting perfect powers in essentially linear time', 
Math. Comp., 67 (1998), 1253-1283. 



63 



[17] D. J. Bernstein, H. W. Lenstra and J. Pila, 'Detecting perfect powers 
by factoring into coprimes', Math. Comp., 76 (2007), 385-388. 

[18] I. Blake and I. E. Shparlinski, 'Statistical distribution and collisions of 
the VSH', J. Math. Cryptology, 1 (2007), 329-349. 

[19] E. Bombieri, J. B. Friedlander and H. Iwaniec, 'Primes in arithmetic 
progressions to large moduli', Acta Math., 156 (1986), 203-251. 

[20] E. Bombieri, J. B. Friedlander and H. Iwaniec, 'Primes in arithmetic 
progressions to large moduli IF, Math. Ann., 277 (1987), 361-393. 

[21] E. Bombieri, J. B. Friedlander and H. Iwaniec, 'Primes in arithmetic 
progressions to large moduli, III', J. Amer. Math. Soc, 2 (1989), 215- 
224. 

[22] D. Boneh, 'Finding smooth integers in short intervals using CRT decod- 
ing', J. Comp. and Syst. Sciences., 64 (2002), 768-784. 

[23] D. Boneh, A. Joux and P. Q. Nguyen, 'Why textbook ElGamal and RSA 
encryption are insecure', Proc. Asiacrypt'OO , Lect. Notes in Comp. Sci., 
vol. 1976, Springer- Verlag, Berlin, 2000, 30-43. 

[24] D. Boneh and R. Venkatesan, 'Hardness of computing the most signif- 
icant bits of secret keys in Dime-Hellman and related schemes', Proc. 
Crypto'96 , Lect. Notes in Comp. Sci., vol. 1109, Springer- Verlag, Berlin, 
1996, 129-142. 

[25] R. de la Breteche, 'Sommes sans grand facteur premier', Acta Arith., 88 
(1999), 1-14. 

[26] R. de la Breteche, 'Entries ayant exactement r diviseurs dans un inter- 
valle donnee', Anatomy of Integers, CRM Proc. and Lect. Notes, vol. 46, 
Amer. Math. Soc, Providence, RI, 2008, 19-45. 

[27] R. de la Breteche and G. Tenenbaum, 'Sommes d'exponentielles friables 
d'arguments rationnels', Fund. Approx. Comment. Math. , 37 (2007), 
31-38. 

[28] E. Brier, C. Clavier, J.-S. Coron and D. Naccache, 'Crypt analysis of RSA 
signatures with fixed-pattern padding', Proc. Crypto '0 1 , Lect. Notes in 
Comp. Sci., vol. 2139, Springer- Verlag, Berlin, 2001, 433-439. 



64 



[29] D. R. L. Brown and R. P. Gallant, 'The static Diffie-Hellman prob- 
lem', Cryptology ePrint Archive, Report 2004/306, 2004, (available from 
http : //epr int . iacr . org/2004/306| ) . 

[30] J. Buchmann, Introduction to cryptography, Springer- Verlag, Berlin, 
2004. 

[31] J. Buchmann and S. Hamdy, 'A survey on IQ cryptography', Public- Key 
Cryptography and Computational Number Theory, Walter de Gruyter, 
Berlin, 2001, 1-15. 

[32] A. A. Buchstab, 'On those numbers in an arithmetic progression all 
prime factors of which are small in magnitude', Dokl. Akad. Nauk SSSR, 
67 (1949), 5-8 (in Russian). 

[33] D. A. Burgess, 'The distribution of quadratic residues and non-residues', 
Mathematika, 4 (1957), 106-112. 

[34] E. R. Canfield, P. Erdos and C. Pomerance, 'On a problem of Oppenheim 
concerning "Factoris&tio Numerorum"\ J. Number Theory, 17 (1983), 
1-28. 

[35] J. Cheon, 'Security analysis of the strong Diffie-Hellman problem', Proc. 
Eurorypt'06 , Lect. Notes in Comp. Sci., vol. 4004, Springer- Verlag, 
Berlin, 2006, 1-11. 

[36] J. Cooley and J. Tukey, 'An algorithm for the machine calculation of 
complex Fourier series', Math. Comp., 19 (1965), 297-301. 

[37] B. Chevallier-Mames, D. Naccache and J. Stern, 'Linear bandwidth 
Naccache-Stern encryption', Proc. 6-th Conf. on Security and Cryptogra- 
phy for Networks , Lect. Notes in Comp. Sci., vol. 5229, Springer- Verlag, 
Berlin, 2008, 327-339. 

[38] H. Cohen and H. W. Lenstra, 'Heuristics on class groups of number 
fields', Number theory, Noordwijkerhout 1983, Lect. Notes in Math., 
vol. 1068, Springer, Berlin, 1984, 33-62. 

[39] A. Cojocaru, 'Questions about the reductions modulo primes of an el- 
liptic curve', Proc. 7th Meeting of the Canadian Number Theory Associ- 
ation (Montreal, 2002), CRM Proceedings and Lecture Notes, Vol. 36, 
Amer. Math. Soc, 2004, 61-79. 



65 



A. Cojocaru, 'Reductions of an elliptic curve with almost prime orders', 
Acta Arith., 119 (2005), 265-289. 

A. Cojocaru, F. Luca and I. E. Shparlinski, 'Pseudoprime reductions of 
elliptic curves', Math. Proc. Cambr. Phil. Soc, (to appear). 

S. Contini, A. K. Lenstra and R. Steinfeld, 'VSH, an efficient and prov- 
able collision-resistant hash function', Proc. Eurorypt'06 , Lect. Notes in 
Comp. Sci., vol. 4004, Springer- Verlag, Berlin, 2006, 165-182. 

D. Coppersmith, 'Small solutions to polynomial equations, and low ex- 
ponent RSA vulnerabilities', J. Cryptology, 10 (1997), 233-260. 

D. Coppersmith, 'Small solutions of small degree polynomials', Lect. 
Notes in Comp. Sci., Springer- Verlag, Berlin, 2146 (2001), 20-31. 

D. Coppersmith, J. S. Coron, F. Grieu, S. Halevi, C. Jutla, D. Naccache 
and J. P. Stern, 'Cryptanalysis of ISO/IEC 9796-1', J. Cryptology, 12 
(2008), 27-51. 

D. Coppersmith, N. Howgrave-Graham and S. V. Nagaraj, 'Divisors in 
residue classes, constructively', Math. Comp., 77 (2008), 531-545. 

J.-S. Coron, M. Joye, D. Naccache and P. Paillier, 'New attacks on 
PKCS^l vl.5 encryption', Proc. Eurorypt'OO , Lect. Notes in Comp. 
Sci., vol. 1807, Springer-Verlag, Berlin, 2000, 369-381. 

J.-S. Coron and D. Naccache, 'Security analysis of the Gennaro-Halevi- 
Rabin signature scheme', Proc. Eurorypt'OO , Lect. Notes in Comp. Sci., 
vol. 1807, Springer-Verlag, Berlin, 2000, 91-101. 

J.-S. Coron and D. Naccache, 'A new error- correcting code based on 
modular arithmetic', Preprint, 2004. 

R. Crandall and C. Pomerance, Prime numbers: A computational per- 
spective, 2-nd edition, Springer-Verlag, New York, 2005. 

E. Croot, 'On a combinatorial method for counting smooth numbers in 
sets of integers', J. Number Theory, 126 (2007), 237-253. 

E. Croot, 'Smooth numbers in short intervals', Int. J. Number Theory, 
3 (2007), 159-169. 



66 



[53] E. Croot, A. Granville, R. Pemantle and P. Tetali, 'Running time predic- 
tions for factoring algorithms', Proc. 8-th Algorithmic Number Theory 
Symp., Lect. Notes in Comput. Sci., vol. 5011, Springer- Verlag, Berlin, 
2008, 1-36. 

[54] C. Dartyge, G. Martin and G. Tenenbaum, 'Polynomial values free of 
large prime factors', Periodica Math. Hungar., 43 (2001), 111-119. 

[55] Y. Desmedt and A. Odlyzko, 'A chosen text attack on the RSA cryp- 
tosystem and some discrete logarithm schemes', Proc. Eurocrypt'85 , 
Lect. Notes in Comput. Sci., vol. 218, Springer- Verlag, Berlin, 1985, 
516-522. 

[56] W. Duke, J. B. Friedlander and H. Iwaniec, 'Bilinear forms with Kloost- 
erman fractions', Invent. Math., 128 (1997), 23-43. 

[57] T. El-Gamal, 'A public-key cryptosystem and a signature scheme based 
on discrete logarithms', Proc. Crypto'84 , Lect. Notes in Comput. Sci., 
vol. 196, Springer- Verlag, Berlin, 1985, 10-18. 

[58] V. Ennola, 'On numbers with small prime divisors', Ann. Acad. Sci. 
Fenn., Ser. AI, 440 (1969), 1-16. 

[59] P. Erdos and C. Pomerance, 'On the normal number of prime factors of 
(p(n)\ Rocky Mountain J. Math., 15 (1985), 343-352. 

[60] A. Fiat and A. Shamir, 'How to prove yourself: Practical solutions to 
identification and signature problems', Proc. Crypto'86 , Lect. Notes in 
Comput. Sci., vol. 263, Springer- Verlag, Berlin, 1987, 186-194. 

[61] K. Ford, 'The distribution of totients', The Ramanujan J., 2 (1998), 
67-151. 

[62] K. Ford, 'The number of solutions of <p(x) = m\ Annals of Math., 150 
(1999), 283-311. 

[63] K. Ford, 'Vinogradov's integral and bounds for the Riemann zeta func- 
tion', Proc. London Math. Soc, 85 (2002), 565-633. 

[64] K. Ford, 'The distribution of integers with a divisor in a given interval', 
Annals Math., 168 (2008), 367-433. 



67 



K. Ford, 'Integers with a divisor in (y,2y]\ Anatomy of Integers, CRM 
Proc. and Lect. Notes, vol. 46, Amer. Math. Soc., Providence, RI, 2008, 
65-80. 

K. Ford and Y. Hu, 'Divisors of the Euler and Carmichael functions', 
Acta Arith., 133 (2008), 199-208. 

K. Ford, S. Konyagin and F. Luca, 'Prime chains and Pratt trees', 
Preprint, 2008. 

K. Ford and G. Tenenbaum, 'The distribution of integers with at least 
two divisors in a short interval', Quart. J. Math., 58 (2007), 187-201. 

E. Fouvry and G. Tenenbaum, 'Entiers sans grand facteur premier en 
progressions arithmetiques', Proc. London Math. Soc, 63 (1991), 449- 
494. 

E. Fouvry and G. Tenenbaum, 'Repartition statistique des entiers sans 
grand facteur premier dans les progressions arithmetiques', Proc. Lon- 
don Math. Soc, 72 (1996), 481-514. 

J. B. Friedlander, 'Shifted primes without large prime factors', Number 
Theory and Applications, Kluwer Acad. Publ., Dordrecht, 1989, 393- 
401. 

J. B. Friedlander and A. Granville, 'Smoothing 'smooth' numbers', Phi- 
los. Trans. Roy. Soc. London, Ser. A, 345 (1993), 339-347. 

J. B. Friedlander and J. C. Lagarias, 'On the distribution in short in- 
tervals of integers having no large prime factor', J. Number Theory, 25 
(1987), 249-273. 

S. D. Galbraith and J. McKee, 'The probability that the number of 
points on an elliptic curve over a finite field is prime', J. London Math. 
Soc, 62 (2000), 671-684. 

J. von zur Gathen and J. Gerhard, Modern computer algebra, Cambridge 
University Press, Cambridge, 2003. 

C. Gentry and Z. Ramzan, 'Single-database private information retrieval 
with constant communication rate', Proc. 32nd Intern. Coll. Automata, 



OS 



Languages and Programming, Lect. Notes in Comput. Sci., vol. 3580, 
Springer- Verlag, Berlin, 2005, 803-815. 



[77] M. Girault and J.-F. Misarsky, 'Selective forgery of RSA signatures using 
redundancy', Proc. Eurocrypt'97 , Lect. Notes in Comp. Sci., vol. 1233, 
Springer- Verlag, Berlin, 1997, 495-507. 

[78] M. Girault and J.-F. Misarsky, 'Cryptoanalysis of countermeasures pro- 
posed for repairing ISO 9796', Proc. Eurocrypt'OO , Lect. Notes in Comp. 
Sci., vol. 1807, Springer- Verlag, Berlin, 2000, 81-90. 

[79] K. Godel, 'Uber formal unentscheidbare Satze der Principia Mathemat- 
ics und verwandter Systeme', /. Monatshefte fr Mathematik und Physik, 
38 (1931), 173-198. 

[80] S. W. Graham and I. E. Shparlinski, 'On RSA moduli with almost half 
of the bits prescribed', Disc. Appl. Math., 156 (2008), 3150-3154. 

[81] A. Granville, 'On positive integers < x with prime factors < tlogx', 
Number Theory and Applications Kluwer, 1989, 403-422. 

[82] A. Granville, 'The lattice points of an n- dimensional tedrahedron', Ae- 
quaUones Math., 41 (1991), 234-241. 

[83] A. Granville, 'Integers, without large prime factors, in arithmetic pro- 
gressions I', Acta Math., 170 (1993), 255-273. 

[84] A. Granville, 'Integers, without large prime factors, in arithmetic pro- 
gressions II', Philos. Trans. Roy. Soc. London, Ser. A, 345 (1993), 349- 
362. 

[85] A. Granville, 'Smooth numbers: Computational number theory and be- 
yond', Algorithmic Number Theory: Lattices, Number Fields, Curves, 
and Cryptography , Cambridge University Press, 2008, 267-322. 

[86] H. Halberstam and H.-E. Richert, Sieve methods, Academic Press, Lon- 
don, 1974. 

[87] R. Hall and G. Tenenbaum, Divisors, Cambridge Tracts in Mathematics, 
vol. 90, Cambridge University Press, 1988. 



69 



S. Hamdy and F. Saidak, 'Arithmetic properties of class numbers of 
imaginary quadratic fields', J. Algebra Number Theory Appl., 6 (2006), 
129-148. 

G. H. Hardy and E. M. Wright, An introduction to the theory of numbers , 
Oxford Univ. Press, Oxford, 1979. 

G. Harman, 'Integers without large prime factors in short intervals and 
arithmetic progressions ', Acta Arith., 91 (1999), 279-289. 

G. Harman, Prime- detecting sieves, Princeton Univ. Press, Princeton, 
NJ, 2007. 

D. R. Heath-Brown, 'Zero-free regions for Dirichlet L-functions, and the 
least prime in an arithmetic progression', Proc. London Math. Soc. 64 
(1992) 265-338. 

A. Hildebrand, 'Integers free of large prime factors and the Riemann 
Hypothesis', Mathematika, 31 (1984), 258-271. 

A. Hildebrand, 'On the number of positive integers < x and free of prime 
factors < y\ J. Number Theory, 22 (1986), 289-307. 

A. Hildebrand and G. Tenenbaum, 'Integers without large prime factors', 
J. de Theorie des Nombres de Bordeaux, 5 (1993), 411-484. 

N. A. Hmyrova, 'On polynomials with small prime divisors, II', Izv. 
Akad. Nauk SSSR Ser. Mat, 30 (1966), 1367-1372 (in Russian). 

E. W. Howe, 'On the group orders of elliptic curves over finite fields, 
Compositio Math., 85 (1993), 229-247. 

S. Hunter and J. P. Sorenson, 'Approximating the number of integers 
free of large prime factors', Mathem. Comp., 66 (1997), 1729-1741. 

H. Iwaniec and J. Jimenez Urroz, 'Orders of CM elliptic curves modulo 
p with at most two primes', Preprint, 2006. 

[100] H. Iwaniec and E. Kowalski, Analytic number theory, Amer. Math. 
Soc, Providence, RI, 2004. 



70 



[101] A. Joux, D. Naccache and E. Thome, 'When e-th roots become easier 
than factoring', Proc. Asiacrypt'07, Lect. Notes in Comp. Sci., vol. 4833, 
Springer- Verlag, Berlin, 2007, 13-28. 

[102] M. Joye, P. Paillier and S. Vaudenay, 'Efficient generation of 
prime numbers', Proc. Cryptographic Hardware and Embedded Systems 
(CHES'OO), Lect. Notes in Comp. Sci., vol. 1965, Springer- Verlag, 
Berlin, 2000, 340-354. 

[103] J. Jimenez Urroz, 'Almost prime orders of CM elliptic curves modulo 
p\ Proc. 4-th Algorithmic Number Theory Symp., Lect. Notes in Comp. 
Sci., vol. 5011, Springer-Verlag, Berlin, 2008, 74-87. 

[104] I. Katai, 'On the iteration of multiplicative functions', Publ. Math. 
Debrecen, 36 (1989), 129-134. 

[105] N. Koblitz, 'Primality of the number of points on an elliptic curve over 
a finite field', Pacific J. Math., 131 (1988), 157-166. 

[106] N. Koblitz, 'Almost primality of group orders of elliptic curves defined 
over small finite fields', Experiment. Math., 10 (2001), 553-558. 

[107] N. M. Korobov, 'Estimates of trigonometric sums and their applica- 
tions', Uspehi Mat. Nauk, 13 (1958), 185-192, (Russian). 

[108] D. Koukoulopoulos, 'Localized factorizations of integers', Preprint, 
2008, (available from |http : //arxiv . org/abs/0809 . 1072P . 

[109] Y. Lamzouri, 'Smooth values of the iterates of the Euler ^-function', 
Canadian J. Math., 59 (2007) 127-147. 

[110] A. K. Lenstra and I. E. Shparlinski, 'Selective forgery of RSA signatures 
with fixed-pattern padding', Proc. Intern. Workshop on Practice and 
Theory in Public Key Cryptography, Lect. Notes in Comp. Sci., vol. 2274, 
Springer-Verlag, Berlin, 2002, 228-236. 

[Ill] H. W. Lenstra, 'Factoring integers with elliptic curves', Annals of 
Math., 126 (1987), 649-673. 

[112] H. W. Lenstra, J. Pila and C. Pomerance, 'A hyperelliptic smoothness 
test, I', Phil. Trans, of the Royal Society of London, Ser. A., 345 (1993), 
397-408. 



71 



[113 
[114 

[115 
[116 
[117 

[118 
[119 
[120 
[121 

[122 
[123 
[124 



H. W. Lenstra, J. Pila and C. Pomerance, 'A hyperelliptic smoothness 
test, IF, Proc. London Math. Soc, 84 (2002), 105-146. 

Y.-R. Liu, 'Prime divisors of the number of rational points on ellip- 
tic curves with complex multiplication', Bull. London Math. Soc, 37 
(2005), 658-664. 

Y.-R. Liu, 'A prime analogue to Erdos-Pomerance's conjecture for el- 
liptic curves', Comment. Math. Helv., 80 (2005), 755-769. 

Y.-R. Liu, 'Prime analogues of the ErdosKac theorem for elliptic 
curves', J. Number Theory, 119 (2006), 155-170. 

S. S. Loiperdinger and I. E. Shparlinski, 'On the distribution of the 
Euler function of shifted smooth numbers', Preprint, 2008, (available 



from http : //arxiv . org/abs/0810 . 1093 ) 



F. Luca and C. Pomerance, 'On the average number of divisors of the 
Euler function', Publ. Math. Debrecen, 70 (2007), 125-148. 

G. Martin, 'An asymptotic formula for the number of smooth values of 
a polynomial', J. Number Theory, 93 (2002), 108-182. 

U. M. Maurer, 'On the oracle complexity of factoring integers', Com- 
putational Complexity, 5 (1996), 237-247. 

J. McKee, 'Subtleties in the distribution of the numbers of points on 
elliptic curves over a finite prime field', J. London Math. Soc., 59 (1999), 
448-460. 

A. J. Menezes, 'Another look at HMQV, J. Math. Cryptology, 1 
(2007), 47-64 

A. J. Menezes, P. C. van Oorschot and S. A. Vanstone, Handbook of 
applied cryptography, CRC Press, Boca Raton, FL, 1996. 

A. J. Menezes and B. Ustooglu, 'On reusing ephemeral keys 
in Diffie-Hellman key agreement protocols', Technical Re- 
port CACR 2008-24, Univ. of Waterloo, 2008 (available from 



http : //www, cacr .math. uwaterloo . ca/tech_reports .html[ ). 



72 



[125] S. Micali and A. Shamir, 'An improvement of the Fiat Shamir identi- 
fication and signature scheme', Proc. Crypto'87, Lect. Notes in Comp. 
ScL, vol. 403, Springer- Verlag, Berlin, 1990, 244-247. 

[126] H. Mikawa, 'On primes in arithmetic progressions', Tsukuba J. Math. 
25 (2001), 121-153. 

[127] S. A. Miri and V. K. Murty, 'An application of sieve methods to el- 
liptic curves', Proc. Indocrypt'01 , Lect. Notes in Comp. Sci., vol. 2247, 
Springer- Verlag, Berlin, 2001, 91-98. 

[128] J.-F. Misarsky, 'A multiplicative attack using LLL algorithm on RSA 
signatures with redundancy', Proc. Crypto'97, Lect. Notes in Comp. 
Sci., vol. 1294, Springer- Verlag, Berlin, 1997, 221-234. 

[129] A. Mohan, Residue number systems: Algorithms and architectures, 
Springer- Verlag, Berlin, 2002. 

[130] D. Naccache, 'Securite, cryptographie : theorie et pratique', Memoire 
d'habilitation a diriger des recherches, Universite Paris VII - Denis 
Diderot, 2004. 

[131] D. Naccache and J. Stern, 'A new public-key cryptosystem', Proc. 
Eurocrypt'97, Lect. Notes in Comput. Sci., vol. 1233, Springer- Verlag, 
Berlin, 1997, 27-36. 

[132] D. Naccache and J. Stern, 'A new public- key cryptosystem based on 
higher residues', Proc. 5-th ACM Conference on Computer and Com- 
munications Security, ACM Press, 1998, 59-66. 

[133] A. M. Odlyzko, 'Discrete logarithms in finite fields and their crypto- 
graphic significance', Proc. Eurocrypt'84 , Lect. Notes in Comput. Sci., 
vol. 209, Springer- Verlag, Berlin, 1985, 224-314. 

[134] S. T. Parsell and J. P. Sorenson, 'Fast bounds on the distribution of 
smooth numbers', Proc. 7-th Algorithmic Number Theory Symp., Lect. 
Notes in Comput. Sci., vol. 4076, Springer- Verlag, Berlin, 2006, 168-181. 

[135] S. C. Pohlig and M. E. Hellman, 'An improved algorithm for computing 
logarithms over GF(p) and its cryptographic significance', IEEE Trans, 
on Inform. Theory, 24 (1978), 106-110. 



73 



[136] C. Pomerance, 'Fast, rigorous factorization and discrete logarithm al- 
gorithms, 'Discrete Algorithms and Complexity, Academic Press, 1987, 

119- 143. 

[137] C. Pomerance and I. E. Shparlinski, 'Smooth orders and cryptographic 
applications', Proc. 5-th Algorithmic Number Theory Symp., Lect. Notes 
in Comput. Sci., vol. 2369, Springer- Verlag, Berlin, 2002, 338-348. 

[138] V. Pratt, 'Every prime has a succinct certificate', SI AM J. Comput., 4 
(1975), 214-220. 

[139] R. A. Rankin, 'The difference between consecutive prime numbers', J. 
London Math. Soc, 13 (1938), 242-247. 

[140] R. Rivest, A. Shamir, and L. Adleman, 'A method for obtaining digital 
signatures and public key cryptosystems', Commun. ACM, 21 (1978), 

120- 126. 

[141] L. Ronyai, 'Factoring polynomials modulo special primes', Combina- 
tonca, 9 (1989), 199-206. 

[142] E. Saias, 'Sur le nombre des entiers sans grand facteur premier,' J. 
Number Theory, 32 (1989), 78-99. 

[143] E. Saias, 'Entiers a Diviseurs Denses 1', J. Number Theory, 62 (1997), 
163-191. 

[144] V. Shoup, 'Smoothness and factoring polynomials over finite fields,' 
Inform. Process. Lett, 38 (1991), 39-42. 

[145] I. E. Shparlinski, 'On RSA moduli with prescribed bit patterns', De- 
signs, Codes and Cryptography, 39 (2006), 113-122. 

[146] I. E. Shparlinski, 'Character sums over shifted smooth numbers', Proc. 
Amer. Math. Soc, 135 (2007), 2699-2705. 

[147] J. P. Sorenson, 'A fast algorithm for approximately counting smooth 
numbers', Proc. J^-th Algorithmic Number Theory Symp., Lect. Notes in 
Comput. Sci., vol. 1838, Springer- Verlag, Berlin, 2000, 539-549. 



74 



[148] K. Soundararajan, 'The distribution of smooth numbers in arithmetic 
progressions', Anatomy of Integers , CRM Proc. and Lect. Notes, vol. 46, 
Amer. Math. Soc., Providence, RI, 2008, 115-128. 

[149] J. Stern, P.-A. Fouque and G.-J. Wackers, 'CryptoComputing with 
rationals', Proc. Financial Cryptography '2002, Lect. Notes in Comput. 
Sci., vol. 2357, Springer- Verlag, Berlin, 2002, 136-146. 

[150] J. Steuding and A. Weng, 'On the number of prime divisors of the 
order of elliptic curves modulo p\ Acta Arith., 117 (2005), 341-352; 
'Erratum', Acta Arith., 119 (2005), 407-408. 

[151] D. R. Stinson, Cryptography: Theory and practice, CRC Press, Boca 
Raton, FL, 2006. 

[152] A. V. Sutherland, 'A generic approach to searching for Jacobians', 
Mathem. Comp., 78 (2009), 485-507. 

[153] K. Suzuki, 'An estimate for the number of integers without large prime 
factors', Mathem. Comp., 73 (2004), 1013-1022. 

[154] K. Suzuki, 'Approximating the number of integers without large prime 
factors', Mathem. Comp., 75 (2006), 1015-1024. 

[155] G. Tenenbaum, 'Cribler les entiers sans grand facteur premier', Philos. 
Trans. Roy. Soc. London, Ser. A, 345 (1993), 377-384. 

[156] G. Tenenbaum, Introduction to analytic and probabilistic number the- 
ory, Cambridge University Press, 1995. 

[157] G. Tenenbaum, 'Crible d'Eratosthene et modele de Kubilius', Num- 
ber theory in progress (Zakopane-Koscielisko, 1997), vol. 2, Walter de 
Gruyter, Berlin, 1999, 1099-1129. 

[158] G. Tenenbaum, 'A rate estimate in Billingsley's theorem for the size 
distribution of large prime factors', Quart. J. Math., 51 (2000), 385-403. 

[159] G. Tenenbaum, 'Integers with a large friable component', Acta Arith., 
124 (2006), 287-291. 



75 



[160 

[161 
[162 
[163 
[164 
[165 
[166 
[167 
[168 



N. M. Timofeev, 'Polynomials with small prime divisors', Taskent. Gos. 
Univ., Naucn. Trudy No. 548, Voprosy Mat., Taskent, 1977, 87-91 (Rus- 
sian). 

T. Z. Xuan, 'On smooth integers in short intervals under the Riemann 
hypothesis.', Acta Arith., 88 (1999), 327-332. 

B. Vallee, 'Gauss' algorithm revisited'. J. Algorithms, 12 (1991), 556- 
572. 

A. I. Vinogradov, 'On the remainder in Merten's formula,' Dokl. Akad. 
Nauk SSSR, 148 (1963), 262-263, (Russian). 

I. M. Vinogradov, 'On a bound for the smallest non-residue of n-th 
power', Izv. Akad. Nauk SSSR, Ser. Mat, 20 (1926), 47-58, (Russian). 

I. M. Vinogradov, 'A new estimate for ((l+it) \ Izv. Akad. Nauk SSSR, 
Ser. Mat, 22 (1958), 161-164, (Russian). 

A. Weng, 'On group orders of rational points of elliptic curves', Quaest. 
Math., 25 (2002), 513-525. 

B. Zralek, 'A deterministic version of Pollard's p — 1 algorithm', 



Preprint, 2007, (available from http://arxiv.org/abs/0707.4102). 



B. Zralek, 'Using the smoothness of p— 1 for computing roots modulo p\ 



Preprint, 2008, (available from |http : //arxiv . org/abs/0803 . 0471 ) . 



76 



